What is the point of kubernetes "secrets" if it encodes the sensitive information as a base64 string if anyone can decode and read raw data using any base64 decoder tool?

  • 0
    The point of b64 is to make all chars printable AND obfuscate the values from being read on your terminal/screen by someone passing by behind your back. Secrets as meaningful words/digits are easy to remember after seing them once for a split second. B64 ciphers aren't - they seem too chaotic to make sense of and be remembered easily.

    Same applies for Basic http auth too.

    B64 is not encryption. It's not meant to make anything secure. It's encoding. It's meant to represent the value differently
  • 0
    @netikras so secrets are just meant to be used so other developers dont read the raw data of something sensitive right off the bat? In that case they can always decode it. What if i have a database username/password do i store it in that secret? Or docker login of the company does it still get stored in secret? What kind of info should be considered as a good place to store as secret and what is a bad case, give me examples
  • 3
    @b2plane there's RBAC to restrict devs' accesses to only the secrets they should be able to access.

    If a user has access to a set of secrets, then yes, he/she can retrieve abd decode them with 2 simple commands
  • 0
    Just for the rbac.
    There are other csi drivers, which are more secure.

    Keep in mind that you often mount secrets or use env vars, which in itself is not safe.
  • 0

    What was mentioned before.

    If you want an less integrated, but more adaptble (e.g. non cloud) solution - checkout Mozillas SOPS.


    You have to get your hands dirty a bit, but SOPS has the advantage of being "neutral". It could be used in any container environment (podman, kubernetes, docker, ...) and it supports a majority of major and non major security stores.
Add Comment