Can we directly encrypt kubernetes secret like using any encryption algorithm we encrypt the secret value and after that decrypt that value in pod and use it. So that anyone cannot access secret without private key. Does kubernetes or any other tool or methods will help to achieve this??
If someone gains access to a Kubernetes cluster and can decode a secret, it's a serious security risk. Kubernetes secrets are base64-encoded but not encrypted, meaning anyone with access can decode them. A compromised secret could lead to unauthorized access or data breaches. Immediate action includes rotating the compromised secret and updating applications using it. Investigate the breach and implement security best practices such as access control, network policies, and regular monitoring. Consider secret management solutions or encryption tools to enhance security. Security in Kubernetes should be a top priority to minimize risks and respond effectively to breaches.
Do you see any scenarios when sealed secret operator will not be in situation to decrypt encrypted password and create correct secrete in Kubernetes cluster? Is there any way to store certificates generated by operator somewhere outside the cluster? I guess, if we redeploy the operator it will create new certificate pair.
If one need to deploy the app in a different cluster, the operator public and private key will change, and the sealedsecret stored in git repo will be unusable
Yes. Sealed Secrets can be used with OpenShift to securely manage and store sensitive data, just as it can be used with a standard Kubernetes cluster. However, make sure to consider OpenShift's specific security features and requirements when implementing it in your OpenShift environment.
Is something like this going to be part of core K8S? Seems like a fundamental feature that you shouldn't have to rely on a third party CRD for.
Can we directly encrypt kubernetes secret like using any encryption algorithm we encrypt the secret value and after that decrypt that value in pod and use it. So that anyone cannot access secret without private key. Does kubernetes or any other tool or methods will help to achieve this??
if someone get access to k8s cluster and decoding the secret?
If someone gains access to a Kubernetes cluster and can decode a secret, it's a serious security risk. Kubernetes secrets are base64-encoded but not encrypted, meaning anyone with access can decode them. A compromised secret could lead to unauthorized access or data breaches. Immediate action includes rotating the compromised secret and updating applications using it. Investigate the breach and implement security best practices such as access control, network policies, and regular monitoring. Consider secret management solutions or encryption tools to enhance security. Security in Kubernetes should be a top priority to minimize risks and respond effectively to breaches.
Excellent Tutorial! :-)
Thanks a lot!
Imperative and declarative way
Keep learning with us & stay connected .
How would sealed-secrets be used with Terraform?
Do you see any scenarios when sealed secret operator will not be in situation to decrypt encrypted password and create correct secrete in Kubernetes cluster? Is there any way to store certificates generated by operator somewhere outside the cluster? I guess, if we redeploy the operator it will create new certificate pair.
If one need to deploy the app in a different cluster, the operator public and private key will change, and the sealedsecret stored in git repo will be unusable
good stuff.
Glad you enjoyed it
What about credentials rotation? This is mentioned on the website but no details provided
Hey, please refer to github.com/bitnami-labs/sealed-secrets#secret-rotation
Is this solution applicable to Openshift too?
Yes. Sealed Secrets can be used with OpenShift to securely manage and store sensitive data, just as it can be used with a standard Kubernetes cluster. However, make sure to consider OpenShift's specific security features and requirements when implementing it in your OpenShift environment.
awesome
Thanks a lot!
I had paid money but my subscription in un-action please fix the issue
We apologise for the issue, could you please email us the concern at support@kodekloud.com and we will investigate it.
Such great instructor!!
Hello thank you for watching our video .We are glad that we could help you in your learning !