Kubernetes Secrets Integration

2 min read Infrastructure & DevOps Security

Kubernetes Secrets Integration

Kubernetes provides more sophisticated secrets management than Docker Swarm, with support for multiple secret types and fine-grained access control. Kubernetes Secrets integrate with ServiceAccounts and RBAC for authorization. However, Kubernetes Secrets are base64 encoded rather than encrypted by default, requiring additional security measures for production deployments.

Securing Kubernetes Secrets requires enabling encryption at rest. etcd encryption protects secrets in the cluster store. Sealed Secrets or similar tools enable GitOps workflows by encrypting secrets for version control. Pod Security Policies restrict secret access based on namespace and labels. Audit logging tracks secret access for compliance and security monitoring.

# Example: Kubernetes secrets with encryption and RBAC
# Enable encryption at rest in kube-apiserver
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: ${ENCRYPTION_KEY}
    - identity: {}

---
# Create namespace with security labels
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    security: restricted
    compliance: pci-dss

---
# ServiceAccount with minimal permissions
apiVersion: v1
kind: ServiceAccount
metadata:
  name: webapp-sa
  namespace: production
automountServiceAccountToken: false

---
# Role for secret access
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: webapp-secrets-reader
  namespace: production
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["webapp-db-creds", "webapp-api-keys"]
  verbs: ["get"]

---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: webapp-secrets-binding
  namespace: production
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: webapp-secrets-reader
subjects:
- kind: ServiceAccount
  name: webapp-sa
  namespace: production

---
# External secret operator for HashiCorp Vault integration
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
  namespace: production
spec:
  provider:
    vault:
      server: "https://vault.company.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "webapp-role"
          serviceAccountRef:
            name: "webapp-sa"

---
# External secret definition
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: webapp-secrets
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: webapp-secrets
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        database-url: "postgresql://{{ .username }}:{{ .password }}@postgres:5432/webapp"
  data:
  - secretKey: username
    remoteRef:
      key: webapp/database
      property: username
  - secretKey: password
    remoteRef:
      key: webapp/database
      property: password

Container Service Accounts provide identity for secret access authorization. Each application should use dedicated Service Accounts with minimal permissions. Token rotation reduces exposure from compromised tokens. Projected service account tokens provide time-bound access. Pod Security Standards enforce Service Account usage policies across namespaces.