Base64 is not encryption: A better story for Kubernetes secrets
By default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Seth Vargo shares techniques for securing Kubernetes secrets, including encryption, KMS plug-ins, and tools like HashiCorp Vault and the trade-offs of each approach to better secure their clusters.
| Talk Title | Base64 is not encryption: A better story for Kubernetes secrets |
| Speakers | Seth Vargo (Google) |
| Conference | O’Reilly Velocity Conference |
| Conf Tag | Building and maintaining complex distributed systems |
| Location | San Jose, California |
| Date | June 11-13, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Secrets are a key pillar of Kubernetes’ security model, used internally (e.g., service accounts) and by users (e.g., API keys), but did you know they’re stored in plaintext? That’s right, by default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Anyone with access to the etcd cluster has access to all your Kubernetes secrets. Thankfully, there are better ways. Seth Vargo provides an overview of different techniques for more securely managing secrets in Kubernetes, including secrets encryption, KMS plug-ins, and tools like HashiCorp Vault. You’ll learn the trade-offs of each approach to make better decisions on how to secure your Kubernetes clusters.
