I'm currently in charge of handling our Kubernetes ConfigMaps that hold secrets for various environments. The higher management has opted against using any cloud provider's secret management tools or third-party solutions due to cost concerns, insisting on a fully cloud-agnostic approach. We've briefly discussed alternatives like Hashicorp Vault and OpenBao, but those would require significant time and maintenance, which is tricky since I'm the only Platform Engineer at this startup.
I've worked with Hashicorp Vault, ExternalSecrets, and AWS Secrets Manager previously, and I really want to persuade my team to adopt an easier option. I've been looking into using Bitnami Sealed Secrets with SOPS to encrypt the secrets stored in our ConfigMaps. My main question is: Is using SOPS for encrypting and decrypting secrets on our EKS clusters sufficient for security? I understand that ConfigMaps aren't encrypted at rest like Secrets are, so I'm unsure if this approach is secure enough given our design constraints. I can confirm that access to the cluster is well-secured, preventing developers from accessing ConfigMaps directly, but I want to get a sense of whether this method is adequate.
5 Answers
While SOPS can be a decent solution, investing some time to set up Hashicorp Vault might be more beneficial in the long run. With SOPS, you'll need to manage separate keys for each environment and team, along with handling key rotations. Vault streamlines a lot of these tasks, so it might pay off to set it up right from the start.
If you're looking for something more reliable and automated, Sealed Secrets is generally considered a better option than SOPS. It's user-friendly, and you can leverage automated actions easily. However, if you see a need for features like auditing or sharing secrets between namespaces, then going with Vault is a better call.
I've successfully implemented Sealed Secrets on EKS for some time now. Just keep in mind two key points: the encryption key secret rotates automatically every month, and backup strategies are vital since the user experience around secrets encryption can be a bit clunky without the right tools.
Have you thought about combining SOPS with a Key Management Service (KMS)? If your higher-ups can be persuaded regarding costs, this might resolve some key management issues without too much hassle.
I’m not super familiar with EKS, but Kubernetes generally allows you to configure encryption at rest for your resources. Using SOPS with encrypted files in your repository can work well as Flux can handle decryption during deployment.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures