Portal | Level: L2: Operations | Topics: Secrets Management | Domain: Security
Secrets Management - Skill Check¶
Mental model (bottom-up)¶
K8s Secrets are base64, not encrypted. Real secrets management encrypts secrets before they enter Git or the cluster, uses external stores as the source of truth, and rotates credentials automatically.
Visual stack¶
[External Store ] Vault / AWS Secrets Manager / GCP Secret Manager
|
[Sync Controller ] ESO / Vault Agent / Sealed Secrets controller
|
[K8s Secret ] standard Secret object, auto-refreshed
|
[Pod ] mounts secret as volume or env var
Glossary¶
- Sealed Secrets - encrypts with cluster public key; safe to commit to Git
- SOPS - encrypts values in YAML/JSON files with KMS/age/PGP
- ESO - External Secrets Operator; syncs secrets from external stores to K8s
- Vault - HashiCorp's secret store; dynamic secrets, PKI, encryption-as-a-service
- IRSA / Workload Identity - K8s SA -> cloud IAM role without static credentials
- encryption at rest - encrypting etcd data on disk via EncryptionConfiguration
Core questions (easy -> hard)¶
- Why are K8s Secrets not secure?
- Base64-encoded, not encrypted. Anyone with RBAC get-secret can decode.
- Sealed Secrets vs SOPS vs ESO?
- Sealed: encrypt in Git. SOPS: encrypt files. ESO: sync from external store.
- How does Vault Kubernetes auth work?
- Pod's SA token sent to Vault, validated against K8s API, returns Vault token.
- How do you rotate secrets without downtime?
- Update in external store, ESO syncs, rolling restart pods. Or use Reloader.
- What do you do if a secret is committed to Git?
- Rotate immediately. Clean Git history. Add pre-commit hooks.
- What are dynamic secrets?
- Vault generates short-lived credentials per consumer. Auto-revoked on TTL.
Wiki Navigation¶
Prerequisites¶
- Secrets Management (Topic Pack, L2)
Related Content¶
- HashiCorp Vault (Topic Pack, L2) — Secrets Management
- Interview: Secret Leaked to Git (Scenario, L2) — Secrets Management
- Interview: Vault Token Expired (Scenario, L2) — Secrets Management
- Runbook: Credential Rotation (Exposed Secret) (Runbook, L2) — Secrets Management
- Runbook: Secret Rotation (Runbook, L2) — Secrets Management
- Secrets Management (Topic Pack, L2) — Secrets Management
- Secrets Management Drills (Drill, L2) — Secrets Management
- Secrets Management Flashcards (CLI) (flashcard_deck, L1) — Secrets Management
Pages that link here¶
- HashiCorp Vault - Primer
- Hashicorp Vault
- Level 6: Advanced Platform Engineering
- Runbook: Credential Rotation (Exposed Secret)
- Runbook: Secret Rotation (Zero Downtime)
- Scenario: Vault Tokens Expired Across All Services
- Secrets Management
- Secrets Management - Primer
- Secrets Management Drills
- Security Domain
- Track: Advanced Platform Engineering