Secrets are K8S ObjectK8S Object
To see a list of available [[Kubernetes]] objects on your cluster, you can run:
# all
kubectl api-resources
# only namespaced
kubectl api-resources --namespaced=true
# only cluster-scoped
kubec...s which are used to store sensitive information you can't otherwise put into a Pod spec or a K8S ConfigMap.
Secrets are very similar to ConfigMaps, the biggest difference being that they are designed to be used for confidential data.
Secret can come in one of several types, depending on it's usage and the type of data it holds (e.g. Opaque, docker config, basic auth, ssh auth..)
Secrets are stored unencrypted in etcd clusteretcd cluster
Etcd is a reliable key-value [[Database]]. It is one of the most important parts of a [[Kubernetes]] cluster used to store the data of the [[K8S Apiserver]]. It uses [[Raft Protocol]] to establish ... by default - See K8S EncryptionK8S Encryption
In order to enable encryption of data stored in [[etcd cluster]], [[K8S Apiserver]] needs to be configured with the --encryption-provider-config flag:
First, create a file encryption-config.yaml:
... . Anyone who can create a pod in a namespace can read secrets in that namespace - you need to configure K8S RBAC rules to counter this.
Status: #💡
References:
- https://kubernetes.io/docs/concepts/configuration/secret/