top | item 30772525

(no title)

notwedtm | 4 years ago

I think K8S secrets get a bad wrap. They are not intended to be secret in the sense that they are "kept from prying eyes by default". The secret object is simply a first-class citizen that differentiates it from a ConfigMap in a way that allows distinct ACL's.

Most organizations I know will still use something like ExternalSecret for source control and then populate the Secret with the values once in cluster and to an object with very few access points.

discuss

gscho|4 years ago

I think calling it a secret when it isn’t gave it a bad wrap. The last time I looked at the documentation it didn’t even clearly describe that it is not a secure object (that may have changed recently). Why call it a secret when it is not even close to one? I guess thing-to-store-secrets-if-you-use-rbac was too long.

Nullabillity|4 years ago

If you don't use RBAC (or some other ACL mechanism) then it's already game over, everyone with access to your cluster already has full root access.

threeseed|4 years ago

But it can be a secret. You can store Base64-encoded, encrypted data.

And you can encode it for example using an external KMS.

unknown|4 years ago

[deleted]

jhugo|4 years ago

I think you're looking for "bad rap" (as in "rap sheet"). A bad wrap is an unappetising tortilla.

morelisp|4 years ago

If it's only base64 and not encrypted, that also seems like a bad wrap.

kitsune_cw|4 years ago

I've always seen it written as "bad rep" as in reputation.