{"id":77367,"date":"2026-07-04T03:20:48","date_gmt":"2026-07-04T03:20:48","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=77367"},"modified":"2026-07-04T03:20:51","modified_gmt":"2026-07-04T03:20:51","slug":"kubernetes-configmap-vs-secret-updated-reference-for-kubernetes","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/kubernetes-configmap-vs-secret-updated-reference-for-kubernetes\/","title":{"rendered":"Kubernetes ConfigMap vs Secret \u2014 Updated Reference for Kubernetes"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">As of <strong>July 4, 2026<\/strong>, the current stable upstream Kubernetes line is <strong>Kubernetes v1.36<\/strong>, with <strong>v1.36.2 released on June 9, 2026<\/strong>. Kubernetes v1.37 is in release-cycle\/pre-release status, not the stable baseline yet. Kubernetes currently maintains the latest three minor release branches: <strong>1.36, 1.35, and 1.34<\/strong>. (<a href=\"https:\/\/kubernetes.io\/releases\/1.36\/?utm_source=chatgpt.com\">Kubernetes<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1. ConfigMap vs Secret \u2014 First Compare<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>ConfigMap<\/th><th>Secret<\/th><\/tr><\/thead><tbody><tr><td>Main purpose<\/td><td>Store <strong>non-sensitive configuration<\/strong><\/td><td>Store <strong>sensitive configuration<\/strong><\/td><\/tr><tr><td>Examples<\/td><td>App mode, log level, feature flags, URLs, config files<\/td><td>Passwords, API keys, tokens, TLS certs, registry credentials<\/td><\/tr><tr><td>Kubernetes object kind<\/td><td><code>ConfigMap<\/code><\/td><td><code>Secret<\/code><\/td><\/tr><tr><td>Namespace scoped?<\/td><td>Yes<\/td><td>Yes<\/td><\/tr><tr><td>Stored under<\/td><td><code>data<\/code> and optional <code>binaryData<\/code><\/td><td><code>data<\/code> and optional <code>stringData<\/code><\/td><\/tr><tr><td>Encoding behavior<\/td><td><code>data<\/code> is plain UTF-8 text; <code>binaryData<\/code> is base64<\/td><td><code>data<\/code> must be base64-encoded; <code>stringData<\/code> accepts plain text and Kubernetes converts it<\/td><\/tr><tr><td>Is base64 encryption?<\/td><td>No<\/td><td>No<\/td><\/tr><tr><td>Encrypted by default in upstream Kubernetes?<\/td><td>No, unless API data encryption is configured<\/td><td>No, unless API data encryption is configured<\/td><\/tr><tr><td>Best for Git?<\/td><td>Usually safe if no secrets<\/td><td>Unsafe unless encrypted with SOPS, Sealed Secrets, Vault, External Secrets, etc.<\/td><\/tr><tr><td>Access control<\/td><td>RBAC<\/td><td>RBAC, but must be stricter<\/td><\/tr><tr><td>Can be consumed as env vars?<\/td><td>Yes<\/td><td>Yes<\/td><\/tr><tr><td>Can be mounted as files?<\/td><td>Yes<\/td><td>Yes<\/td><\/tr><tr><td>Immutable support<\/td><td>Yes, using <code>immutable: true<\/code><\/td><td>Yes, using <code>immutable: true<\/code><\/td><\/tr><tr><td>Maximum object size<\/td><td>Should stay small; practical limit around Kubernetes object size<\/td><td>Same; Secrets are intended for small sensitive values<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A <strong>ConfigMap<\/strong> stores configuration for applications and has <code>data<\/code> for UTF-8 strings and <code>binaryData<\/code> for base64-encoded binary data. A <strong>Secret<\/strong> is meant for confidential data; values in the <code>data<\/code> field must be base64-encoded, while <code>stringData<\/code> lets you submit plain strings that the API server converts into <code>data<\/code>. (<a href=\"https:\/\/kubernetes.io\/docs\/concepts\/configuration\/configmap\/?utm_source=chatgpt.com\">Kubernetes<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The biggest trap: <strong>Kubernetes Secret base64 is not encryption<\/strong>. Anyone who can run <code>kubectl get secret<\/code> can decode it.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">2. Hands-on: Prove ConfigMap Is Plain and Secret Is Encoded<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Create a test namespace:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl create <span class=\"hljs-keyword\">namespace<\/span> <span class=\"hljs-title\">cm<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">lab<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2.1 Create a ConfigMap<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab create configmap app-config \\\n  --<span class=\"hljs-keyword\">from<\/span>-literal=APP_MODE=prod \\\n  --<span class=\"hljs-keyword\">from<\/span>-literal=LOG_LEVEL=debug \\\n  --<span class=\"hljs-keyword\">from<\/span>-literal=DB_HOST=mysql.dev.svc.cluster.local\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">View it:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab <span class=\"hljs-keyword\">get<\/span> configmap app-config -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Expected output style:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">apiVersion<\/span>: <span class=\"hljs-selector-tag\">v1<\/span>\n<span class=\"hljs-selector-tag\">kind<\/span>: <span class=\"hljs-selector-tag\">ConfigMap<\/span>\n<span class=\"hljs-selector-tag\">metadata<\/span>:\n  <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">app-config<\/span>\n  <span class=\"hljs-selector-tag\">namespace<\/span>: <span class=\"hljs-selector-tag\">cm-secret-lab<\/span>\n<span class=\"hljs-selector-tag\">data<\/span>:\n  <span class=\"hljs-selector-tag\">APP_MODE<\/span>: <span class=\"hljs-selector-tag\">prod<\/span>\n  <span class=\"hljs-selector-tag\">DB_HOST<\/span>: <span class=\"hljs-selector-tag\">mysql<\/span><span class=\"hljs-selector-class\">.dev<\/span><span class=\"hljs-selector-class\">.svc<\/span><span class=\"hljs-selector-class\">.cluster<\/span><span class=\"hljs-selector-class\">.local<\/span>\n  <span class=\"hljs-selector-tag\">LOG_LEVEL<\/span>: <span class=\"hljs-selector-tag\">debug<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Notice: values are <strong>plain text<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can also print one value:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl -n cm-secret-lab get configmap app-config \\\n  -o jsonpath=<span class=\"hljs-string\">'{.data.DB_HOST}'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">mysql<\/span><span class=\"hljs-selector-class\">.dev<\/span><span class=\"hljs-selector-class\">.svc<\/span><span class=\"hljs-selector-class\">.cluster<\/span><span class=\"hljs-selector-class\">.local<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2.2 Create a Secret<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab create secret generic app-secret \\\n  --<span class=\"hljs-keyword\">from<\/span>-literal=DB_PASSWORD=<span class=\"hljs-string\">'P@ssw0rd!'<\/span> \\\n  --<span class=\"hljs-keyword\">from<\/span>-literal=API_KEY=<span class=\"hljs-string\">'abc123'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">View it:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab <span class=\"hljs-keyword\">get<\/span> secret app-secret -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Expected output style:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: app-secret\n  <span class=\"hljs-keyword\">namespace<\/span>: <span class=\"hljs-title\">cm<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">lab<\/span>\n<span class=\"hljs-title\">type<\/span>: <span class=\"hljs-title\">Opaque<\/span>\n<span class=\"hljs-title\">data<\/span>:\n  <span class=\"hljs-title\">API_KEY<\/span>: <span class=\"hljs-title\">YWJjMTIz<\/span>\n  <span class=\"hljs-title\">DB_PASSWORD<\/span>: <span class=\"hljs-title\">UEBzc3cwcmQh<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Here:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-10\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">abc123<\/span>     <span class=\"hljs-selector-tag\">-<\/span>&gt; <span class=\"hljs-selector-tag\">YWJjMTIz<\/span>\n<span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>! -&gt; UEBzc3cwcmQh\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-10\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">That is <strong>base64 encoding<\/strong>, not encryption.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2.3 Compare Side by Side<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-11\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"===== ConfigMap =====\"<\/span>\nkubectl -n cm-secret-lab get configmap app-config -o yaml\n\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"===== Secret =====\"<\/span>\nkubectl -n cm-secret-lab get secret app-secret -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-11\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">You will see:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-12\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># ConfigMap<\/span>\ndata:\n  APP_MODE: prod\n  LOG_LEVEL: debug\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-12\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">But Secret shows:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-13\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># Secret<\/span>\ndata:\n  API_KEY: YWJjMTIz\n  DB_PASSWORD: UEBzc3cwcmQh\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-13\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">3. Secret Encoding Mechanism<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Kubernetes Secrets have two common input styles.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3.1 <code>data<\/code>: You provide base64 yourself<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: manual-secret\ntype: Opaque\ndata:\n  username: YWRtaW4=\n  password: UEBzc3cwcmQh\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Decode mentally:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">YWRtaW4=       -&gt; admin\nUEBzc3cwcmQh   -&gt; P@ssw0rd!\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Apply:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-14\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">kubectl<\/span> <span class=\"hljs-selector-tag\">apply<\/span> <span class=\"hljs-selector-tag\">-f<\/span> <span class=\"hljs-selector-tag\">manual-secret<\/span><span class=\"hljs-selector-class\">.yaml<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-14\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3.2 <code>stringData<\/code>: You provide plain text, Kubernetes converts it<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-15\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">apiVersion<\/span>: <span class=\"hljs-selector-tag\">v1<\/span>\n<span class=\"hljs-selector-tag\">kind<\/span>: <span class=\"hljs-selector-tag\">Secret<\/span>\n<span class=\"hljs-selector-tag\">metadata<\/span>:\n  <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">stringdata-secret<\/span>\n<span class=\"hljs-selector-tag\">type<\/span>: <span class=\"hljs-selector-tag\">Opaque<\/span>\n<span class=\"hljs-selector-tag\">stringData<\/span>:\n  <span class=\"hljs-selector-tag\">username<\/span>: <span class=\"hljs-selector-tag\">admin<\/span>\n  <span class=\"hljs-selector-tag\">password<\/span>: <span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>!\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-15\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Apply it:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-16\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">kubectl<\/span> <span class=\"hljs-selector-tag\">-n<\/span> <span class=\"hljs-selector-tag\">cm-secret-lab<\/span> <span class=\"hljs-selector-tag\">apply<\/span> <span class=\"hljs-selector-tag\">-f<\/span> <span class=\"hljs-selector-tag\">stringdata-secret<\/span><span class=\"hljs-selector-class\">.yaml<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-16\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Now view it:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-17\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab <span class=\"hljs-keyword\">get<\/span> secret stringdata-secret -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-17\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">You will see <code>data<\/code>, not <code>stringData<\/code>:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">data:\n  password: UEBzc3cwcmQh\n  username: YWRtaW4=\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\"><code>stringData<\/code> is only a convenience input field. The Kubernetes API stores the result in <code>data<\/code>, and <code>data<\/code> values are base64-encoded strings. (<a href=\"https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/?utm_source=chatgpt.com\">Kubernetes<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">4. How to Decode Kubernetes Secrets<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">4.1 Decode one key<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-18\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl -n cm-secret-lab get secret app-secret \\\n  -o jsonpath=<span class=\"hljs-string\">'{.data.DB_PASSWORD}'<\/span> | base64 --decode\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-18\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-19\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>!\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-19\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">On some systems, use:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-20\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl -n cm-secret-lab get secret app-secret \\\n  -o jsonpath=<span class=\"hljs-string\">'{.data.DB_PASSWORD}'<\/span> | base64 -d\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-20\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4.2 Decode API key<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-21\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl -n cm-secret-lab get secret app-secret \\\n  -o jsonpath=<span class=\"hljs-string\">'{.data.API_KEY}'<\/span> | base64 --decode\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-21\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">abc123\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4.3 Decode all keys using <code>jq<\/code><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-22\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab <span class=\"hljs-keyword\">get<\/span> secret app-secret -o json \\\n  | jq -r '.data | map_values(@base64d)'\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-22\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-23\" data-shcb-language-name=\"JSON \/ JSON with Comments\" data-shcb-language-slug=\"json\"><span><code class=\"hljs language-json\">{\n  <span class=\"hljs-attr\">\"API_KEY\"<\/span>: <span class=\"hljs-string\">\"abc123\"<\/span>,\n  <span class=\"hljs-attr\">\"DB_PASSWORD\"<\/span>: <span class=\"hljs-string\">\"P@ssw0rd!\"<\/span>\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-23\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JSON \/ JSON with Comments<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">json<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4.4 Decode all secrets in a namespace \u2014 audit style<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Careful: this prints sensitive values.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-24\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl -n cm-secret-lab get secrets -o json \\\n  | jq -r <span class=\"hljs-string\">'.items&#91;] | \n    \"SECRET: \\(.metadata.name)\\n\" +\n    (.data \/\/ {} | to_entries&#91;]? | \"\\(.key)=\\(.value | @base64d)\") +\n    \"\\n\"'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-24\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4.5 Decode manually<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-25\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">'UEBzc3cwcmQh'<\/span> | base64 --decode\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-25\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-26\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>!\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-26\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4.6 Decode in PowerShell<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-27\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-attr\">&#91;System.Text.Encoding]<\/span><span class=\"hljs-selector-pseudo\">::UTF8.GetString(<\/span>\n  <span class=\"hljs-selector-attr\">&#91;System.Convert]<\/span><span class=\"hljs-selector-pseudo\">::FromBase64String(\"UEBzc3cwcmQh\")<\/span>\n)\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-27\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-28\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>!\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-28\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">5. Consuming ConfigMap and Secret in a Pod<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">5.1 Use both as environment variables<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-29\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">apiVersion<\/span>: <span class=\"hljs-selector-tag\">v1<\/span>\n<span class=\"hljs-selector-tag\">kind<\/span>: <span class=\"hljs-selector-tag\">Pod<\/span>\n<span class=\"hljs-selector-tag\">metadata<\/span>:\n  <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">cm-secret-env-demo<\/span>\n  <span class=\"hljs-selector-tag\">namespace<\/span>: <span class=\"hljs-selector-tag\">cm-secret-lab<\/span>\n<span class=\"hljs-selector-tag\">spec<\/span>:\n  <span class=\"hljs-selector-tag\">containers<\/span>:\n    <span class=\"hljs-selector-tag\">-<\/span> <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">demo<\/span>\n      <span class=\"hljs-selector-tag\">image<\/span>: <span class=\"hljs-selector-tag\">busybox<\/span><span class=\"hljs-selector-pseudo\">:1.36<\/span>\n      <span class=\"hljs-selector-tag\">command<\/span>: <span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"sh\"<\/span>, <span class=\"hljs-string\">\"-c\"<\/span>, <span class=\"hljs-string\">\"env | sort &amp;&amp; sleep 3600\"<\/span>]<\/span>\n      <span class=\"hljs-selector-tag\">env<\/span>:\n        <span class=\"hljs-selector-tag\">-<\/span> <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">APP_MODE<\/span>\n          <span class=\"hljs-selector-tag\">valueFrom<\/span>:\n            <span class=\"hljs-selector-tag\">configMapKeyRef<\/span>:\n              <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">app-config<\/span>\n              <span class=\"hljs-selector-tag\">key<\/span>: <span class=\"hljs-selector-tag\">APP_MODE<\/span>\n        <span class=\"hljs-selector-tag\">-<\/span> <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">DB_PASSWORD<\/span>\n          <span class=\"hljs-selector-tag\">valueFrom<\/span>:\n            <span class=\"hljs-selector-tag\">secretKeyRef<\/span>:\n              <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">app-secret<\/span>\n              <span class=\"hljs-selector-tag\">key<\/span>: <span class=\"hljs-selector-tag\">DB_PASSWORD<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-29\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Apply:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-30\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">kubectl<\/span> <span class=\"hljs-selector-tag\">apply<\/span> <span class=\"hljs-selector-tag\">-f<\/span> <span class=\"hljs-selector-tag\">pod-env<\/span><span class=\"hljs-selector-class\">.yaml<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-30\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Check env:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-31\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab logs cm-secret-env-demo | grep -E <span class=\"hljs-string\">'APP_MODE|DB_PASSWORD'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-31\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">APP_MODE=prod\nDB_PASSWORD=P@ssw0rd!\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Inside the Pod, Kubernetes gives the application the decoded value.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.2 Mount both as files<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-32\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">apiVersion: v1\n<span class=\"hljs-attr\">kind<\/span>: Pod\n<span class=\"hljs-attr\">metadata<\/span>:\n  name: cm-secret-volume-demo\n  <span class=\"hljs-attr\">namespace<\/span>: cm-secret-lab\n<span class=\"hljs-attr\">spec<\/span>:\n  containers:\n    - name: demo\n      <span class=\"hljs-attr\">image<\/span>: busybox:<span class=\"hljs-number\">1.36<\/span>\n      <span class=\"hljs-attr\">command<\/span>: &#91;<span class=\"hljs-string\">\"sh\"<\/span>, <span class=\"hljs-string\">\"-c\"<\/span>, <span class=\"hljs-string\">\"ls -R \/etc\/app-config \/etc\/app-secret &amp;&amp; sleep 3600\"<\/span>]\n      <span class=\"hljs-attr\">volumeMounts<\/span>:\n        - name: config-volume\n          <span class=\"hljs-attr\">mountPath<\/span>: <span class=\"hljs-regexp\">\/etc\/<\/span>app-config\n          <span class=\"hljs-attr\">readOnly<\/span>: <span class=\"hljs-literal\">true<\/span>\n        - name: secret-volume\n          <span class=\"hljs-attr\">mountPath<\/span>: <span class=\"hljs-regexp\">\/etc\/<\/span>app-secret\n          <span class=\"hljs-attr\">readOnly<\/span>: <span class=\"hljs-literal\">true<\/span>\n  <span class=\"hljs-attr\">volumes<\/span>:\n    - name: config-volume\n      <span class=\"hljs-attr\">configMap<\/span>:\n        name: app-config\n    - name: secret-volume\n      <span class=\"hljs-attr\">secret<\/span>:\n        secretName: app-secret\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-32\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Apply:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-33\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">kubectl<\/span> <span class=\"hljs-selector-tag\">apply<\/span> <span class=\"hljs-selector-tag\">-f<\/span> <span class=\"hljs-selector-tag\">pod-volume<\/span><span class=\"hljs-selector-class\">.yaml<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-33\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Read mounted values:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">kubectl -n cm-secret-lab exec cm-secret-volume-demo -- cat \/etc\/app-config\/APP_MODE\nkubectl -n cm-secret-lab exec cm-secret-volume-demo -- cat \/etc\/app-secret\/DB_PASSWORD\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-34\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">prod<\/span>\n<span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>!\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-34\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">For sensitive values, volume mounts are often better than environment variables because env vars can leak through process dumps, debug output, accidental logs, and application diagnostics.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">6. Secret Types<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Common Kubernetes Secret types:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Type<\/th><th>Use<\/th><\/tr><\/thead><tbody><tr><td><code>Opaque<\/code><\/td><td>Generic key-value secrets<\/td><\/tr><tr><td><code>kubernetes.io\/tls<\/code><\/td><td>TLS certificate and private key<\/td><\/tr><tr><td><code>kubernetes.io\/dockerconfigjson<\/code><\/td><td>Private container registry credentials<\/td><\/tr><tr><td><code>kubernetes.io\/basic-auth<\/code><\/td><td>Username\/password<\/td><\/tr><tr><td><code>kubernetes.io\/ssh-auth<\/code><\/td><td>SSH private key<\/td><\/tr><tr><td><code>kubernetes.io\/service-account-token<\/code><\/td><td>Legacy service account token Secret<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Example TLS Secret:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">kubectl -n cm-secret-lab create secret tls my-tls-secret \\\n  --cert=tls.crt \\\n  --key=tls.key\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example Docker registry Secret:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">kubectl -n cm-secret-lab create secret docker-registry regcred \\\n  --docker-server=index.docker.io \\\n  --docker-username=myuser \\\n  --docker-password=mypassword \\\n  --docker-email=myemail@example.com\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">7. Important Security Reality<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">7.1 Base64 is not encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-35\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>! -&gt; UEBzc3cwcmQh\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-35\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">is reversible without any key:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-36\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">'UEBzc3cwcmQh'<\/span> | base64 -d\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-36\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">So Kubernetes Secret gives you:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">API object separation + RBAC + special handling\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">It does <strong>not automatically give you cryptographic protection<\/strong> in a self-managed upstream cluster unless you configure encryption at rest.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7.2 Anyone with <code>get secret<\/code> can decode it<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This RBAC permission is dangerous:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-37\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">resources<\/span>: <span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"secrets\"<\/span>]<\/span>\n<span class=\"hljs-selector-tag\">verbs<\/span>: <span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"get\"<\/span>, <span class=\"hljs-string\">\"list\"<\/span>, <span class=\"hljs-string\">\"watch\"<\/span>]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-37\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">A user with <code>get secrets<\/code> can do:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-38\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl <span class=\"hljs-keyword\">get<\/span> secret app-secret -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-38\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Then decode the values.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For production, give <code>get secrets<\/code> only to tightly controlled service accounts, operators, and administrators.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">8. Kubernetes Native Encryption at Rest<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Kubernetes supports encryption of API resource data before it is stored in etcd. This is different from base64 encoding. Native encryption protects stored API data such as Secrets in etcd; it does not encrypt files mounted into containers or data inside application volumes. (<a href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/encrypt-data\/?utm_source=chatgpt.com\">Kubernetes<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kubernetes supports KMS provider-based encryption. In Kubernetes 1.36, <strong>KMS v2<\/strong> is the recommended approach where feasible; <strong>KMS v1 has been deprecated since Kubernetes 1.28 and disabled by default since Kubernetes 1.29<\/strong>. (<a href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/kms-provider\/?utm_source=chatgpt.com\">Kubernetes<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8.1 Self-managed cluster: basic encryption with <code>aescbc<\/code><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Generate a 32-byte key:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">head -c 32 \/dev\/urandom | base64\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example output:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">qAj0N9HjJxWkKpE4Vg1u7W8dKJmYj9w2vN0bQ9xJx2A=\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Create an encryption config file on every control-plane node:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">apiVersion: apiserver.config.k8s.io\/v1\nkind: EncryptionConfiguration\nresources:\n  - resources:\n      - secrets\n    providers:\n      - aescbc:\n          keys:\n            - name: key1\n              secret: qAj0N9HjJxWkKpE4Vg1u7W8dKJmYj9w2vN0bQ9xJx2A=\n      - identity: {}\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Save as:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">\/etc\/kubernetes\/encryption-config.yaml\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Then configure the API server with:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-39\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">--encryption-provider-config=<span class=\"hljs-regexp\">\/etc\/<\/span>kubernetes\/encryption-config.yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-39\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">For kubeadm-style static Pods, this usually means editing:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">\/etc\/kubernetes\/manifests\/kube-apiserver.yaml\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Add volume mount:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-40\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">- --encryption-provider-config=<span class=\"hljs-regexp\">\/etc\/<\/span>kubernetes\/encryption-config.yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-40\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">And mount file:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-41\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">volumeMounts:\n  - name: encryption-config\n    <span class=\"hljs-attr\">mountPath<\/span>: <span class=\"hljs-regexp\">\/etc\/<\/span>kubernetes\/encryption-config.yaml\n    <span class=\"hljs-attr\">readOnly<\/span>: <span class=\"hljs-literal\">true<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-41\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-42\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">volumes:\n  - name: encryption-config\n    <span class=\"hljs-attr\">hostPath<\/span>:\n      path: <span class=\"hljs-regexp\">\/etc\/<\/span>kubernetes\/encryption-config.yaml\n      <span class=\"hljs-attr\">type<\/span>: File\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-42\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">After the API server restarts, new Secrets are encrypted before being written to etcd.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8.2 Re-encrypt existing Secrets<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After enabling encryption, existing Secrets are not always rewritten automatically in self-managed clusters. Force rewrite:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-43\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl <span class=\"hljs-keyword\">get<\/span> secrets --all-namespaces -o json | kubectl replace -f -\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-43\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">For ConfigMaps too, if you configured encryption for ConfigMaps:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-44\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl <span class=\"hljs-keyword\">get<\/span> configmaps --all-namespaces -o json | kubectl replace -f -\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-44\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8.3 Decryption with native Kubernetes encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Normally, you do <strong>not<\/strong> manually decrypt etcd values. The flow is:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-45\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Client -&gt; kube-apiserver -&gt; decrypts <span class=\"hljs-keyword\">from<\/span> etcd -&gt; returns normal Kubernetes API object\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-45\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">So this still works:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-46\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl <span class=\"hljs-keyword\">get<\/span> secret app-secret -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-46\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">The API server decrypts the stored data, then returns the Kubernetes Secret object with base64-encoded <code>data<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For disaster recovery, you must keep the encryption config or KMS key available. If you lose the encryption key, encrypted etcd data may become unrecoverable.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">9. External Encrypt \/ Decrypt Options<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">For production, you normally combine multiple layers:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Git encryption + Kubernetes RBAC + etcd encryption + cloud KMS + runtime secret delivery\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">9.1 SOPS \u2014 best for GitOps encrypted YAML<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">SOPS encrypts YAML, JSON, ENV, INI, and binary files and supports AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. It keeps the file structure visible while encrypting sensitive values. (<a href=\"https:\/\/github.com\/getsops\/sops?utm_source=chatgpt.com\">GitHub<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install tools<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">brew install sops age\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Generate age key:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-47\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">age-keygen<\/span> <span class=\"hljs-selector-tag\">-o<\/span> <span class=\"hljs-selector-tag\">age<\/span><span class=\"hljs-selector-class\">.key<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-47\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Show public recipient:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-48\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">grep<\/span> <span class=\"hljs-selector-tag\">public<\/span> <span class=\"hljs-selector-tag\">age<\/span><span class=\"hljs-selector-class\">.key<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-48\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-49\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># public key: age1abcxyz...<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-49\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Create <code>.sops.yaml<\/code>:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">creation_rules:\n  - path_regex: .*secret.*\\.yaml$\n    age: age1abcxyz...\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Create Secret manifest:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-50\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">apiVersion<\/span>: <span class=\"hljs-selector-tag\">v1<\/span>\n<span class=\"hljs-selector-tag\">kind<\/span>: <span class=\"hljs-selector-tag\">Secret<\/span>\n<span class=\"hljs-selector-tag\">metadata<\/span>:\n  <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">app-secret<\/span>\n  <span class=\"hljs-selector-tag\">namespace<\/span>: <span class=\"hljs-selector-tag\">cm-secret-lab<\/span>\n<span class=\"hljs-selector-tag\">type<\/span>: <span class=\"hljs-selector-tag\">Opaque<\/span>\n<span class=\"hljs-selector-tag\">stringData<\/span>:\n  <span class=\"hljs-selector-tag\">DB_PASSWORD<\/span>: <span class=\"hljs-selector-tag\">P<\/span><span class=\"hljs-keyword\">@ssw0rd<\/span>!\n  API_<span class=\"hljs-attribute\">KEY:<\/span> abc123\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-50\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Encrypt:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-51\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">sops<\/span> <span class=\"hljs-selector-tag\">--encrypt<\/span> <span class=\"hljs-selector-tag\">app-secret<\/span><span class=\"hljs-selector-class\">.yaml<\/span> &gt; <span class=\"hljs-selector-tag\">app-secret<\/span><span class=\"hljs-selector-class\">.enc<\/span><span class=\"hljs-selector-class\">.yaml<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-51\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Decrypt:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">SOPS_AGE_KEY_FILE=age.key sops --decrypt app-secret.enc.yaml\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Apply without saving decrypted file:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">SOPS_AGE_KEY_FILE=age.key sops --decrypt app-secret.enc.yaml | kubectl apply -f -\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Good for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">GitOps + Argo CD + Flux + CI\/CD\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Risk:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CI\/CD runner needs decrypt permission.\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9.2 Sealed Secrets \u2014 encrypt Secret for one cluster<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Bitnami Sealed Secrets lets you encrypt a Kubernetes Secret into a <code>SealedSecret<\/code>; only the controller running in the target cluster can decrypt it. It is designed for safely storing encrypted Secrets in Git. (<a href=\"https:\/\/github.com\/bitnami\/sealed-secrets?utm_source=chatgpt.com\">GitHub<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Install controller:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-52\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">helm repo add sealed-secrets https:<span class=\"hljs-comment\">\/\/bitnami-labs.github.io\/sealed-secrets<\/span>\nhelm repo update\n\nhelm install sealed-secrets sealed-secrets\/sealed-secrets \\\n  -n kube-system\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-52\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Create a normal Secret manifest locally, then seal it:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-53\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl -n cm-secret-lab create secret generic app-secret \\\n  --<span class=\"hljs-keyword\">from<\/span>-literal=DB_PASSWORD=<span class=\"hljs-string\">'P@ssw0rd!'<\/span> \\\n  --dry-run=client \\\n  -o yaml \\\n  | kubeseal --format yaml &gt; app-secret-sealed.yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-53\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Apply sealed secret:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-54\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">kubectl<\/span> <span class=\"hljs-selector-tag\">apply<\/span> <span class=\"hljs-selector-tag\">-f<\/span> <span class=\"hljs-selector-tag\">app-secret-sealed<\/span><span class=\"hljs-selector-class\">.yaml<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-54\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">The cluster controller decrypts it and creates a normal Kubernetes Secret.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Good for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">GitOps where encrypted Secret is bound to a cluster.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Risk:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-55\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">If<\/span> controller <span class=\"hljs-keyword\">private<\/span> key is lost, old SealedSecrets cannot be decrypted.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-55\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9.3 External Secrets Operator \u2014 sync from real secret managers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">External Secrets Operator synchronizes secrets from external secret systems such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, and Azure Key Vault into Kubernetes Secrets. (<a href=\"https:\/\/external-secrets.io\/?utm_source=chatgpt.com\">External Secrets<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Install:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-56\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">helm repo add external-secrets https:<span class=\"hljs-comment\">\/\/charts.external-secrets.io<\/span>\nhelm repo update\n\nhelm install external-secrets external-secrets\/external-secrets \\\n  -n external-secrets \\\n  --create-namespace \\\n  --<span class=\"hljs-keyword\">set<\/span> installCRDs=true\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-56\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example <code>ExternalSecret<\/code>:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-57\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">apiVersion: external-secrets.io\/v1\nkind: ExternalSecret\nmetadata:\n  name: app-secret\n  <span class=\"hljs-keyword\">namespace<\/span>: <span class=\"hljs-title\">cm<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">lab<\/span>\n<span class=\"hljs-title\">spec<\/span>:\n  <span class=\"hljs-title\">refreshInterval<\/span>: 1<span class=\"hljs-title\">h<\/span>\n  <span class=\"hljs-title\">secretStoreRef<\/span>:\n    <span class=\"hljs-title\">name<\/span>: <span class=\"hljs-title\">cloud<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">store<\/span>\n    <span class=\"hljs-title\">kind<\/span>: <span class=\"hljs-title\">SecretStore<\/span>\n  <span class=\"hljs-title\">target<\/span>:\n    <span class=\"hljs-title\">name<\/span>: <span class=\"hljs-title\">app<\/span>-<span class=\"hljs-title\">secret<\/span>\n    <span class=\"hljs-title\">creationPolicy<\/span>: <span class=\"hljs-title\">Owner<\/span>\n  <span class=\"hljs-title\">data<\/span>:\n    - <span class=\"hljs-title\">secretKey<\/span>: <span class=\"hljs-title\">DB_PASSWORD<\/span>\n      <span class=\"hljs-title\">remoteRef<\/span>:\n        <span class=\"hljs-title\">key<\/span>: <span class=\"hljs-title\">prod<\/span>\/<span class=\"hljs-title\">app<\/span>\/<span class=\"hljs-title\">db<\/span>\n        <span class=\"hljs-title\">property<\/span>: <span class=\"hljs-title\">password<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-57\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Good for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Central secret manager + rotation + audit + multi-cluster usage\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Risk:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-58\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">By <span class=\"hljs-keyword\">default<\/span>, it still creates a native Kubernetes Secret unless you design otherwise.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-58\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9.4 Secrets Store CSI Driver \u2014 mount external secrets as files<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Secrets Store CSI Driver lets Kubernetes mount secrets, keys, and certificates from enterprise secret stores into Pods as volumes. Once attached, the secret data is mounted into the container filesystem. (<a href=\"https:\/\/secrets-store-csi-driver.sigs.k8s.io\/?utm_source=chatgpt.com\">Secrets Store CSI Driver<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Typical pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">External Secret Store -&gt; CSI Driver -&gt; Pod volume\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example Pod volume shape:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-59\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">volumes<\/span>:\n  <span class=\"hljs-selector-tag\">-<\/span> <span class=\"hljs-selector-tag\">name<\/span>: <span class=\"hljs-selector-tag\">secrets-store-inline<\/span>\n    <span class=\"hljs-selector-tag\">csi<\/span>:\n      <span class=\"hljs-selector-tag\">driver<\/span>: <span class=\"hljs-selector-tag\">secrets-store<\/span><span class=\"hljs-selector-class\">.csi<\/span><span class=\"hljs-selector-class\">.k8s<\/span><span class=\"hljs-selector-class\">.io<\/span>\n      <span class=\"hljs-selector-tag\">readOnly<\/span>: <span class=\"hljs-selector-tag\">true<\/span>\n      <span class=\"hljs-selector-tag\">volumeAttributes<\/span>:\n        <span class=\"hljs-selector-tag\">secretProviderClass<\/span>: <span class=\"hljs-selector-tag\">app-secret-provider<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-59\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Good for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Avoiding persistent Kubernetes Secret objects.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Risk:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-60\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Application must read secrets <span class=\"hljs-keyword\">from<\/span> files, not env vars.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-60\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9.5 HashiCorp Vault Agent Injector<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Vault Agent Injector is a Kubernetes admission webhook that injects Vault Agent containers into Pods so workloads can consume Vault secrets. It commonly authenticates using the Pod\u2019s Kubernetes service account. (<a href=\"https:\/\/developer.hashicorp.com\/vault\/docs\/deploy\/kubernetes\/injector?utm_source=chatgpt.com\">HashiCorp Developer<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example annotation style:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-61\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">metadata:\n  annotations:\n    vault.hashicorp.com\/agent-inject: <span class=\"hljs-string\">\"true\"<\/span>\n    vault.hashicorp.com\/role: <span class=\"hljs-string\">\"myapp\"<\/span>\n    vault.hashicorp.com\/agent-inject-secret-db-password: <span class=\"hljs-string\">\"secret\/data\/prod\/db\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-61\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Good for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Dynamic credentials, short-lived database passwords, strict audit.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Risk:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Needs Vault availability and correct auth\/policy design.\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">10. Cloud Provider Improvements<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Modern managed Kubernetes platforms improve Secrets in four major ways:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-62\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-number\">1.<\/span> Managed control-plane encryption\n<span class=\"hljs-number\">2.<\/span> Cloud KMS integration\n<span class=\"hljs-number\">3.<\/span> Cloud-native secret stores\n<span class=\"hljs-number\">4.<\/span> Workload identity \/ IAM-based access instead <span class=\"hljs-keyword\">of<\/span> <span class=\"hljs-keyword\">static<\/span> credentials\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-62\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">11. EKS \u2014 Amazon Elastic Kubernetes Service<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">11.1 EKS secret encryption status<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Amazon EKS now uses <strong>KMS v2 default envelope encryption for all Kubernetes API data<\/strong> in managed control planes for clusters running Kubernetes <strong>1.28 or higher<\/strong>. For EKS clusters running Kubernetes <strong>1.27 or lower<\/strong>, the older procedure to enable Secrets encryption with AWS KMS applies. (<a href=\"https:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/envelope-encryption.html?utm_source=chatgpt.com\">AWS Documentation<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AWS recommends using AWS KMS for envelope encryption of Kubernetes Secrets. In that model, a data encryption key encrypts the data, and the data encryption key is encrypted by a key encryption key in AWS KMS. (<a href=\"https:\/\/docs.aws.amazon.com\/eks\/latest\/best-practices\/data-encryption-and-secrets-management.html?utm_source=chatgpt.com\">AWS Documentation<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11.2 EKS old clusters: enable KMS encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For EKS Kubernetes 1.27 or lower:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-63\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">aws eks associate-encryption-config \\\n  --cluster-name my-cluster \\\n  --encryption-config <span class=\"hljs-string\">'&#91;{\"resources\":&#91;\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:ap-northeast-1:111122223333:key\/abcd-1234\"}}]'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-63\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Using <code>eksctl<\/code>:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">eksctl utils enable-secrets-encryption \\\n  --cluster my-cluster \\\n  --key-arn arn:aws:kms:ap-northeast-1:111122223333:key\/abcd-1234\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11.3 EKS with AWS Secrets Manager using External Secrets Operator<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use IAM Roles for Service Accounts or EKS Pod Identity so the External Secrets Operator can read AWS Secrets Manager without static AWS keys.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example <code>ClusterSecretStore<\/code> shape:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-64\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">apiVersion: external-secrets.io\/v1\nkind: ClusterSecretStore\nmetadata:\n  name: aws-secrets-manager\nspec:\n  provider:\n    aws:\n      service: SecretsManager\n      region: ap-northeast<span class=\"hljs-number\">-1<\/span>\n      auth:\n        jwt:\n          serviceAccountRef:\n            name: external-secrets\n            <span class=\"hljs-keyword\">namespace<\/span>: <span class=\"hljs-title\">external<\/span>-<span class=\"hljs-title\">secrets<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-64\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example app secret:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-65\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">apiVersion: external-secrets.io\/v1\nkind: ExternalSecret\nmetadata:\n  name: app-secret\n  <span class=\"hljs-keyword\">namespace<\/span>: <span class=\"hljs-title\">cm<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">lab<\/span>\n<span class=\"hljs-title\">spec<\/span>:\n  <span class=\"hljs-title\">refreshInterval<\/span>: 1<span class=\"hljs-title\">h<\/span>\n  <span class=\"hljs-title\">secretStoreRef<\/span>:\n    <span class=\"hljs-title\">name<\/span>: <span class=\"hljs-title\">aws<\/span>-<span class=\"hljs-title\">secrets<\/span>-<span class=\"hljs-title\">manager<\/span>\n    <span class=\"hljs-title\">kind<\/span>: <span class=\"hljs-title\">ClusterSecretStore<\/span>\n  <span class=\"hljs-title\">target<\/span>:\n    <span class=\"hljs-title\">name<\/span>: <span class=\"hljs-title\">app<\/span>-<span class=\"hljs-title\">secret<\/span>\n  <span class=\"hljs-title\">data<\/span>:\n    - <span class=\"hljs-title\">secretKey<\/span>: <span class=\"hljs-title\">DB_PASSWORD<\/span>\n      <span class=\"hljs-title\">remoteRef<\/span>:\n        <span class=\"hljs-title\">key<\/span>: <span class=\"hljs-title\">prod<\/span>\/<span class=\"hljs-title\">app<\/span>\/<span class=\"hljs-title\">db<\/span>\n        <span class=\"hljs-title\">property<\/span>: <span class=\"hljs-title\">password<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-65\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Best EKS production pattern:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-66\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">AWS Secrets Manager \/ SSM Parameter Store\n+ IAM Roles <span class=\"hljs-keyword\">for<\/span> Service Accounts or EKS Pod Identity\n+ External Secrets Operator or AWS Secrets Store CSI provider\n+ EKS <span class=\"hljs-keyword\">default<\/span> KMS v2 envelope encryption\n+ strict Kubernetes RBAC\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-66\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">12. AKS \u2014 Azure Kubernetes Service<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">12.1 AKS secret encryption status<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">AKS stores Kubernetes Secrets in etcd and supports optional KMS provider encryption using Azure Key Vault. Azure describes this as an additional KMS provider layer over platform encryption, where Secrets stored in etcd can be encrypted using Azure Key Vault keys. (<a href=\"https:\/\/docs.azure.cn\/en-us\/aks\/kms-data-encryption-concepts?utm_source=chatgpt.com\">Azure Documentation<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft\u2019s AKS KMS documentation shows how to enable encryption at rest using Azure Key Vault and the Kubernetes KMS plugin, including bring-your-own-key and key rotation scenarios. (<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/use-kms-etcd-encryption?utm_source=chatgpt.com\">Microsoft Learn<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12.2 Enable AKS KMS encryption with Azure Key Vault<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Create or use an Azure Key Vault key, then create AKS with KMS:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-67\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">az aks create \\\n  --name myAKSCluster \\\n  --resource-group myResourceGroup \\\n  --assign-identity <span class=\"hljs-string\">\"$IDENTITY_RESOURCE_ID\"<\/span> \\\n  --enable-azure-keyvault-kms \\\n  --azure-keyvault-kms-key-vault-network-access <span class=\"hljs-string\">\"Public\"<\/span> \\\n  --azure-keyvault-kms-key-id <span class=\"hljs-string\">\"$KEY_ID\"<\/span> \\\n  --generate-ssh-keys\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-67\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Enable on an existing cluster:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-68\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">az aks update \\\n  --name myAKSCluster \\\n  --resource-group myResourceGroup \\\n  --enable-azure-keyvault-kms \\\n  --azure-keyvault-kms-key-vault-network-access <span class=\"hljs-string\">\"Public\"<\/span> \\\n  --azure-keyvault-kms-key-id <span class=\"hljs-string\">\"$KEY_ID\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-68\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">For private Key Vault:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-69\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">az aks update \\\n  --name myAKSCluster \\\n  --resource-group myResourceGroup \\\n  --enable-azure-keyvault-kms \\\n  --azure-keyvault-kms-key-id <span class=\"hljs-string\">\"$KEY_ID\"<\/span> \\\n  --azure-keyvault-kms-key-vault-network-access <span class=\"hljs-string\">\"Private\"<\/span> \\\n  --azure-keyvault-kms-key-vault-resource-id <span class=\"hljs-string\">\"$KEY_VAULT_RESOURCE_ID\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-69\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Critical warning: do not delete or expire the Key Vault key used for AKS KMS encryption; Microsoft warns that doing so can make the API server unable to work with encrypted data. (<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/use-kms-etcd-encryption?utm_source=chatgpt.com\">Microsoft Learn<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12.3 AKS with Azure Key Vault Provider for Secrets Store CSI Driver<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">AKS has a managed add-on for Azure Key Vault Provider for Secrets Store CSI Driver. Microsoft documents enabling it with <code>--enable-addons azure-keyvault-secrets-provider<\/code>; the add-on creates a user-assigned managed identity for Key Vault access. (<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/csi-secrets-store-driver?utm_source=chatgpt.com\">Microsoft Learn<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enable during cluster creation:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">az aks create \\\n  --resource-group myResourceGroup \\\n  --name myAKSCluster \\\n  --enable-addons azure-keyvault-secrets-provider \\\n  --enable-oidc-issuer \\\n  --enable-workload-identity \\\n  --generate-ssh-keys\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Enable on existing cluster:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">az aks enable-addons \\\n  --addons azure-keyvault-secrets-provider \\\n  --name myAKSCluster \\\n  --resource-group myResourceGroup\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Best AKS production pattern:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-70\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Azure Key Vault\n+ AKS Workload Identity\n+ Secrets Store CSI Driver or External Secrets Operator\n+ AKS KMS etcd encryption\n+ Azure RBAC \/ Kubernetes RBAC\n+ Key Vault soft <span class=\"hljs-keyword\">delete<\/span> + purge protection\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-70\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">13. GKE \/ \u201cGKS\u201d \u2014 Google Kubernetes Engine<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019m assuming by <strong>GKS<\/strong> you mean <strong>GKE<\/strong>, Google Kubernetes Engine.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13.1 GKE secret encryption status<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Google Cloud encrypts data at rest by default, including GKE data, but GKE also supports <strong>application-layer Secrets encryption<\/strong> using a customer-managed key in Cloud KMS. Google\u2019s current GKE documentation describes encrypting Kubernetes Secrets at the application layer with a Cloud KMS key that you manage. (<a href=\"https:\/\/cloud.google.com\/blog\/products\/containers-kubernetes\/exploring-container-security-encrypting-kubernetes-secrets-with-cloud-kms?utm_source=chatgpt.com\">Google Cloud<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">13.2 Create GKE cluster with Cloud KMS application-layer Secrets encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Create KMS key ring and key:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-71\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">gcloud kms keyrings create gke-secrets-ring \\\n  --location=<span class=\"hljs-keyword\">global<\/span>\n\ngcloud kms keys create gke-secrets-key \\\n  --location=<span class=\"hljs-keyword\">global<\/span> \\\n  --keyring=gke-secrets-ring \\\n  --purpose=encryption\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-71\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Grant GKE service account access to the key:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-72\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">gcloud kms keys add-iam-policy-binding gke-secrets-key \\\n  --location=<span class=\"hljs-keyword\">global<\/span> \\\n  --keyring=gke-secrets-ring \\\n  --member=<span class=\"hljs-string\">\"serviceAccount:SERVICE_ACCOUNT_EMAIL\"<\/span> \\\n  --role=<span class=\"hljs-string\">\"roles\/cloudkms.cryptoKeyEncrypterDecrypter\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-72\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Create cluster:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-73\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">gcloud container clusters create my-gke-cluster \\\n  --region=asia-northeast1 \\\n  --database-encryption-key=projects\/PROJECT_ID\/locations\/<span class=\"hljs-keyword\">global<\/span>\/keyRings\/gke-secrets-ring\/cryptoKeys\/gke-secrets-key\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-73\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Update existing cluster:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-74\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">gcloud container clusters update my-gke-cluster \\\n  --region=asia-northeast1 \\\n  --database-encryption-key=projects\/PROJECT_ID\/locations\/<span class=\"hljs-keyword\">global<\/span>\/keyRings\/gke-secrets-ring\/cryptoKeys\/gke-secrets-key\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-74\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">13.3 GKE with Google Secret Manager<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Recommended pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Google Secret Manager\n+ Workload Identity Federation for GKE\n+ External Secrets Operator or Secrets Store CSI Driver provider\n+ Cloud KMS application-layer Secrets encryption\n+ Kubernetes RBAC\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example External Secret concept:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-75\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">apiVersion: external-secrets.io\/v1\nkind: ExternalSecret\nmetadata:\n  name: app-secret\n  <span class=\"hljs-keyword\">namespace<\/span>: <span class=\"hljs-title\">cm<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">lab<\/span>\n<span class=\"hljs-title\">spec<\/span>:\n  <span class=\"hljs-title\">refreshInterval<\/span>: 1<span class=\"hljs-title\">h<\/span>\n  <span class=\"hljs-title\">secretStoreRef<\/span>:\n    <span class=\"hljs-title\">name<\/span>: <span class=\"hljs-title\">google<\/span>-<span class=\"hljs-title\">secret<\/span>-<span class=\"hljs-title\">manager<\/span>\n    <span class=\"hljs-title\">kind<\/span>: <span class=\"hljs-title\">ClusterSecretStore<\/span>\n  <span class=\"hljs-title\">target<\/span>:\n    <span class=\"hljs-title\">name<\/span>: <span class=\"hljs-title\">app<\/span>-<span class=\"hljs-title\">secret<\/span>\n  <span class=\"hljs-title\">data<\/span>:\n    - <span class=\"hljs-title\">secretKey<\/span>: <span class=\"hljs-title\">DB_PASSWORD<\/span>\n      <span class=\"hljs-title\">remoteRef<\/span>:\n        <span class=\"hljs-title\">key<\/span>: <span class=\"hljs-title\">prod<\/span>-<span class=\"hljs-title\">app<\/span>-<span class=\"hljs-title\">db<\/span>-<span class=\"hljs-title\">password<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-75\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Best GKE production pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Google Secret Manager\n+ GKE Workload Identity\n+ Cloud KMS application-layer secret encryption\n+ External Secrets Operator or CSI mount\n+ Binary Authorization \/ Policy Controller for guardrails\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">14. OpenShift<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">14.1 OpenShift secret encryption status<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In OpenShift Container Platform 4.19 documentation, Red Hat states that etcd data is <strong>not encrypted by default<\/strong>. When etcd encryption is enabled, OpenShift encrypts resources including <strong>Secrets, ConfigMaps, Routes, OAuth access tokens, and OAuth authorize tokens<\/strong>. The docs also note that encryption protects values, not keys; resource types, namespaces, and object names remain unencrypted. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/openshift_container_platform\/4.19\/html\/etcd\/enabling-etcd-encryption?utm_source=chatgpt.com\">Red Hat Documentation<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">14.2 Enable etcd encryption in OpenShift<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check current setting:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-76\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">oc <span class=\"hljs-keyword\">get<\/span> apiserver cluster -o yaml\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-76\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Enable encryption:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-77\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">oc patch apiserver cluster \\\n  --type=merge \\\n  -p <span class=\"hljs-string\">'{\"spec\":{\"encryption\":{\"type\":\"aescbc\"}}}'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-77\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Watch progress:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-78\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">oc <span class=\"hljs-keyword\">get<\/span> clusteroperators kube-apiserver openshift-apiserver authentication\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-78\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Check API server status:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-79\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">oc get apiserver cluster -o jsonpath=<span class=\"hljs-string\">'{.status.conditions}'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-79\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Depending on OpenShift version, supported encryption types can include AES-CBC and AES-GCM. Always confirm the exact supported values for your OpenShift release before changing production clusters.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">14.3 OpenShift External Secrets Operator<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Red Hat provides an External Secrets Operator for OpenShift. It fetches secrets from external providers including AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, IBM Cloud Secrets Manager, and AWS Systems Manager Parameter Store. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/openshift_container_platform\/4.19\/html\/security_and_compliance\/external-secrets-operator-for-red-hat-openshift?utm_source=chatgpt.com\">Red Hat Documentation<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Production pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">External provider\n-&gt; External Secrets Operator\n-&gt; Kubernetes Secret\n-&gt; Application\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">14.4 OpenShift Secrets Store CSI Driver<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">OpenShift \/ OKD documentation describes the Secrets Store CSI Driver Operator as a way to mount secrets, keys, and certificates from external secret stores into Pods as volumes. Listed providers include AWS Secrets Manager, AWS Systems Manager Parameter Store, Azure Key Vault, and HashiCorp Vault. (<a href=\"https:\/\/docs.okd.io\/4.16\/storage\/container_storage_interface\/persistent-storage-csi-secrets-store.html?utm_source=chatgpt.com\">OKD Documentation<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Production pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">External secret manager\n-&gt; CSI driver\n-&gt; Pod volume\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">This is useful when you do not want the secret value persisted as a normal Kubernetes Secret.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Best OpenShift production pattern:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">OpenShift etcd encryption\n+ External Secrets Operator or Secrets Store CSI Driver\n+ Vault \/ AWS Secrets Manager \/ Azure Key Vault \/ Google Secret Manager\n+ strict OpenShift RBAC\n+ SCC \/ admission policy\n+ audit logging\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">15. Best Practice Architecture by Security Level<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Level 1 \u2014 Basic lab<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">ConfigMap for config\nSecret for password\nRBAC limited\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Good for learning, not enough for production.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Level 2 \u2014 Standard production<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-80\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">ConfigMap <span class=\"hljs-keyword\">for<\/span> non-sensitive config\nSecret <span class=\"hljs-keyword\">for<\/span> sensitive values\netcd encryption enabled\nRBAC restricted\nSecrets mounted <span class=\"hljs-keyword\">as<\/span> files where possible\nAudit logging enabled\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-80\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Level 3 \u2014 GitOps production<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">SOPS or Sealed Secrets\nGit stores only encrypted secret manifests\nCI\/CD decrypts or controller decrypts\nCluster has etcd encryption\nRBAC restricted\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Level 4 \u2014 Enterprise cloud-native<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-81\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">AWS Secrets Manager \/ Azure Key Vault \/ Google Secret Manager \/ Vault\nExternal Secrets Operator or Secrets Store CSI Driver\nWorkload identity, not <span class=\"hljs-keyword\">static<\/span> cloud keys\nCloud KMS envelope encryption\nSecret rotation\nAudit logging\nPolicy enforcement\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-81\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Level 5 \u2014 High-security \/ regulated<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-82\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">External secret manager is source of truth\nNo long-lived <span class=\"hljs-keyword\">static<\/span> secrets in Git\nNo secrets <span class=\"hljs-keyword\">as<\/span> env vars\nRuntime mount <span class=\"hljs-keyword\">or<\/span> dynamic injection\nShort-lived credentials\nAutomatic rotation\nKMS\/HSM-backed keys\n<span class=\"hljs-keyword\">Namespace<\/span> <span class=\"hljs-title\">isolation<\/span>\n<span class=\"hljs-title\">Dedicated<\/span> <span class=\"hljs-title\">service<\/span> <span class=\"hljs-title\">accounts<\/span>\n<span class=\"hljs-title\">Admission<\/span> <span class=\"hljs-title\">policy<\/span> <span class=\"hljs-title\">blocks<\/span> <span class=\"hljs-title\">unsafe<\/span> <span class=\"hljs-title\">Secrets<\/span>\n<span class=\"hljs-title\">Full<\/span> <span class=\"hljs-title\">audit<\/span> <span class=\"hljs-title\">trail<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-82\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">16. Recommended Decision Matrix<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Requirement<\/th><th>Best choice<\/th><\/tr><\/thead><tbody><tr><td>Non-sensitive app config<\/td><td>ConfigMap<\/td><\/tr><tr><td>Password\/API key for simple app<\/td><td>Secret<\/td><\/tr><tr><td>Need encrypted GitOps<\/td><td>SOPS or Sealed Secrets<\/td><\/tr><tr><td>Need central rotation<\/td><td>External Secrets Operator<\/td><\/tr><tr><td>Need avoid native Kubernetes Secret persistence<\/td><td>Secrets Store CSI Driver<\/td><\/tr><tr><td>Need dynamic DB credentials<\/td><td>HashiCorp Vault<\/td><\/tr><tr><td>EKS production<\/td><td>AWS Secrets Manager + IRSA\/EKS Pod Identity + KMS<\/td><\/tr><tr><td>AKS production<\/td><td>Azure Key Vault + Workload Identity + KMS<\/td><\/tr><tr><td>GKE production<\/td><td>Google Secret Manager + Workload Identity + Cloud KMS<\/td><\/tr><tr><td>OpenShift production<\/td><td>etcd encryption + ESO\/CSI + Vault\/cloud secret manager<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">17. Real Interview \/ Exam Style Summary<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">ConfigMap<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-83\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">ConfigMap stores non-confidential configuration data in key-value form.\nIt is visible in plain text through kubectl.\n<span class=\"hljs-keyword\">Use<\/span> <span class=\"hljs-title\">it<\/span> <span class=\"hljs-title\">for<\/span> <span class=\"hljs-title\">app<\/span> <span class=\"hljs-title\">settings<\/span>, <span class=\"hljs-title\">URLs<\/span>, <span class=\"hljs-title\">flags<\/span>, <span class=\"hljs-title\">and<\/span> <span class=\"hljs-title\">config<\/span> <span class=\"hljs-title\">files<\/span>.\n<span class=\"hljs-title\">Do<\/span> <span class=\"hljs-title\">not<\/span> <span class=\"hljs-title\">store<\/span> <span class=\"hljs-title\">passwords<\/span> <span class=\"hljs-title\">or<\/span> <span class=\"hljs-title\">API<\/span> <span class=\"hljs-title\">keys<\/span> <span class=\"hljs-title\">in<\/span> <span class=\"hljs-title\">ConfigMaps<\/span>.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-83\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Secret<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-84\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Secret stores confidential data such <span class=\"hljs-keyword\">as<\/span> passwords, tokens, and keys.\nSecret data is base64-encoded, not encrypted by <span class=\"hljs-keyword\">default<\/span>.\nAnyone <span class=\"hljs-keyword\">with<\/span> permission to read the Secret can decode it.\nFor production, enable encryption at rest and use external secret managers where possible.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-84\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Encoding vs Encryption<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Encoding = reversible format transformation, no key needed.\nEncryption = cryptographic protection, key required.\nKubernetes Secret data uses base64 encoding.\nKubernetes etcd encryption or cloud KMS provides real encryption.\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">18. Cleanup Lab<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-85\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl <span class=\"hljs-keyword\">delete<\/span> namespace cm-secret-lab\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-85\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">19. Final Recommended Production Pattern<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">For modern Kubernetes in 2026, I would use this:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-86\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">ConfigMap:\n  Only non-sensitive app configuration.\n\nSecret:\n  Only when application requires Kubernetes-native Secret.\n\nGit:\n  Never store plain Secret YAML.\n  Use SOPS or Sealed Secrets.\n\nCluster:\n  Enable etcd \/ API data encryption.\n  Use KMS v2 where available.\n\nCloud:\n  Use AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or Vault.\n\nRuntime:\n  Prefer Workload Identity \/ IRSA \/ managed identity.\n  Avoid <span class=\"hljs-keyword\">static<\/span> cloud access keys.\n  Prefer CSI mount or External Secrets Operator.\n  Rotate secrets regularly.\n\nRBAC:\n  Treat <span class=\"hljs-string\">\"get secrets\"<\/span> <span class=\"hljs-keyword\">as<\/span> near-admin-level permission.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-86\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">The one-line golden rule:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">ConfigMap is for configuration. Secret is for sensitive data. But Secret is only safe when RBAC, encryption at rest, external secret management, and rotation are designed properly.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As of July 4, 2026, the current stable upstream Kubernetes line is Kubernetes v1.36, with v1.36.2 released on June 9, 2026. Kubernetes v1.37 is in release-cycle\/pre-release status,&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-77367","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=77367"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77367\/revisions"}],"predecessor-version":[{"id":77368,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77367\/revisions\/77368"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=77367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=77367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=77367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}