In chapter 3, you learned how to protect secrets when storing them in Git, but this is just one place secrets can be stored. In this chapter, we’ll discuss storing them inside the Kubernetes cluster.
We’ll demonstrate that secrets are not encrypted by default by directly querying the etcd database. Then we’ll walk through the process of encrypting data at rest as well as enabling it in Kubernetes to encrypt secrets (figure 4.1).
Finally, we will make the process secure using a key management service (KMS) to manage encryption keys, as shown in figure 4.2.
Imagine you have an application that needs to connect to a database server; obviously, a username and password are required to access it. These configuration values are secrets, and they need to be stored correctly, so if the system (or the cluster) is compromised, they are kept secret and the attacker will not be able to exploit them to access any part of your application. The solution is encrypting these secrets, so if they are compromised, the attacker would only get a chunk of bytes instead of the real values.