3 Securely storing Secrets

 

This chapter covers

  • Capturing Kubernetes manifests to store in version control systems
  • Enabling secure secret storage at rest
  • Using Kubernetes Operators to manage Kubernetes resources, including Secrets
  • Incorporating security considerations into Kubernetes package managers
  • Implementing key rotation to improve your security posture

Chapter 2 provided an overview of the key architectural components of a Kubernetes environment as well as the way workloads are deployed and methods for injecting configurations via ConfigMaps and Secrets. But once resources have been added to a Kubernetes cluster, how are they managed? What happens if they were inadvertently removed? It becomes increasingly important for them to be captured and stored for potential later use. However, when working with resources that may contain sensitive information, careful thought and considerations must be taken into account. This chapter introduces tools and approaches that can be used to store Kubernetes Secrets securely at rest and illustrates the benefits of declaratively defining Kubernetes resources.

3.1 Storing Kubernetes manifests at rest

3.1.1 Capturing resources for declarative configuration

3.2 Tools for securely storing Kubernetes resources

3.2.1 Ansible Vault

3.3 Kubernetes Operators

3.3.1 Custom resource definitions (CRDs)

3.3.2 Sealed Secrets

3.4 Managing Secrets within Kubernetes package managers

3.4.1 Deploying the Greeting Demo Helm chart

3.4.2 Using Helm Secrets

3.5 Rotating secrets

3.5.1 Ansible Vault secret key rotation

3.5.2 Sealed Secrets key rotation

3.5.3 SOPS secret key rotation

Summary