External Secrets Operator: Difference between ClusterSecretStore and SecretStore?

Turn Your Vehicle Into a Smart Earning Asset

While you’re not driving your car or bike, it can still be working for you. MOTOSHARE helps you earn passive income by connecting your vehicle with trusted renters in your city.

🚗 You set the rental price
🔐 Secure bookings with verified renters
📍 Track your vehicle with GPS integration
💰 Start earning within 48 hours

It’s simple, safe, and rewarding. Your vehicle. Your rules. Your earnings.

The main difference between a ClusterSecretStore and a SecretStore is that a ClusterSecretStore is a cluster-wide SecretStore that can be referenced from all namespaces, while a SecretStore is a namespaced SecretStore that can only be referenced from a single namespace.

Another difference is that a ClusterSecretStore can be used to store secrets that are shared across multiple namespaces, such as a database password or an API key. A SecretStore can only be used to store secrets that are specific to a single namespace, such as a database password for a specific application.

Here is a table that summarizes the key differences between ClusterSecretStores and SecretStores:

Feature	ClusterSecretStore	SecretStore
Scope	Cluster-wide	Namespaced
Use cases	Shared secrets across multiple namespaces	Namespace-specific secrets

Here are some examples of when you might use a ClusterSecretStore:

To store a database password that is shared across all of your applications.
To store an API key that is used by multiple applications.
To store a certificate that is used by multiple applications.

Here are some examples of when you might use a SecretStore:

To store a database password for a specific application.
To store an API key for a specific application.
To store a certificate for a specific application.

SecretStore:

SecretStore is namespace-scoped. This means a SecretStore resource is created within a specific namespace and can only be referenced by ExternalSecret resources within the same namespace.
This allows for more fine-grained access control and isolation between different namespaces, making it suitable for multi-tenant environments where different teams or applications have their isolated namespaces.

apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: my-secret-store
  namespace: my-namespace
spec:
  provider:
    aws:
      service: SecretsManager
Code language: PHP (php)

ClusterSecretStore:

ClusterSecretStore, on the other hand, is cluster-scoped. This means it is not confined to a specific namespace and can be referenced by ExternalSecret resources across all namespaces in the cluster.
It is suitable for secrets that are shared and needed by applications residing in different namespaces across the cluster.

apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
  name: my-cluster-secret-store
spec:
  provider:
    aws:
      service: SecretsManager

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs: