Secrets in Kubernetes, are Base 64 encoded. As such, its trivial for anyone with access to the secret objects, to decode them & fetch the secret value.
In Amazon EKS, the managed Kubernetes control plane runs on EC2 instances with EBS volumes that are encrypted at rest. So when your secrets are created in etcd & saved to disk, they’re encrypted at rest. However, within the cluster, they’re still essentially plaintext.
A better way to keep secrets “secret”, would be to have them encrypted, preferably with a key of your choosing, until they’re needed in a workload pod. To achieve this, you can store your secrets in either AWS Secrets Manager or SSM Parameter Store (as SecureString), instead of within the EKS cluster.
This article describes how to consume secrets from Secrets Manager & Parameter Store in EKS pods.
How It Works
The Kubernetes community has created a CSI driver to facilitate the use of secrets from external secret stores like AWS Secrets Manager & HashiCorp Vault, in Kubernetes pods.
The Secrets Store CSI Driver secrets-store.csi.k8s.io allows Kubernetes to mount multiple secrets, keys, & certs stored in enterprise-grade external secret stores into Kubernetes pods as a volume.
# cd /mnt/secrets/
# cat my-secret
# cat my-parameter
So there you go: secrets & parameters right in your pods. You can use your own KMS CMKs to encrypt the secrets & parameters & as long as the IAM policy has the right permissions, you can fetch them into your workload pods.
Additionally, if you use the secret rotation feature of AWS Secrets Manager, you can configure the ASCP to reconcile secrets with your pods periodically. See the resources below for more details. Note that this feature is currently in alpha.
Check out the following resources to learn more about secrets in Kubernetes:
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.