Our cloud architect wants to delete all Kubernetes Secrets from our cluster and depend entirely on Vault, utilizing Vault Agent or BankVaults to retrieve them. They believe that Kubernetes Secrets are not secure and that having both would just replicate information and diminish the advantages of using Vault. While I agree about the redundancy, we've successfully removed Secrets for our internal applications with the help of the development team. However, we're facing challenges with third-party components, as many Helm charts and operators depend solely on Kubernetes Secrets, making them tough to eliminate completely. I'm aware of ESO, which has its perks, but it still creates Kubernetes Secrets, which defeats our goal. Although I'm on board with using Vault, I'm not convinced that Kubernetes Secrets need to be completely phased out. What are your thoughts on this? Should we stick with ESO for what we can't migrate? Is there something I'm missing? Thanks for your input!
3 Answers
I see why you're hesitant about completely ditching Kubernetes Secrets. Many open-source tools were built with these secrets in mind, making it hard to let them go. It's more practical to utilize both, especially if you're dealing with third-party services. A hybrid approach might actually give you the reliability and security you need without over-relying on one system.
I really recommend exploring the security of your setup first. Believe it or not, Kubernetes Secrets can be stored in base64 by default, so there's definitely a risk involved. Using a tools like the Vault/Vault Secrets Operator allows you to manage secrets more securely, especially if you're also looking to avoid injecting them directly into runtime environments where they can be exposed more easily. Just be careful with the management overhead it introduces!
Yeah, I'm always looking for safer approaches to handling secrets, so definitely keeping an eye on how to manage that interaction with the pods.
Good points on the security aspects. Definitely something to consider as we talk about the migration.
I'd seriously consider the implications of relying solely on one service for your secrets. Yes, Vault offers great benefits, but Kubernetes Secrets, when used properly, are not terrible. They can be encrypted and kept safe with excellent RBAC policies in place. It's about how you configure them and manage access—and that's key in a multi-cloud environment!
Right, access controls can make a significant difference.
Totally, security's more of a people issue than solely a tech challenge.
Exactly! Balance is key in this situation, especially with legacy dependencies.