After going through a few different options, vault included, I’ve been using this at my last two orgs https://external-secrets.io/latest/ . We leverage Aws secrets manager to hold all of our secrets. In my experience, it’s way more straightforward and simpler to use than having to deal with hashicorp vault. You can team ESO with IAM roles for authentication and also not have to deal with IAM credentials too Answer from meltingpies on reddit.com
🌐
Kubernetes
kubernetes.io › docs › concepts › configuration › secret
Secrets | Kubernetes
March 17, 2026 - Secrets are similar to ConfigMaps but are specifically intended to hold confidential data. Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd).
🌐
Reddit
reddit.com › r/kubernetes › kubernetes secrets and vault secrets
r/kubernetes on Reddit: Kubernetes secrets and vault secrets
November 26, 2025 -

The cloud architect in my team wants to delete every Secret in the Kubernetes cluster and rely exclusively on Vault, using Vault Agent / BankVaults to fetch them.

He argues that Kubernetes Secrets aren’t secure and that keeping them in both places would duplicate information and reduce some of Vault’s benefits. I partially agree regarding the duplicated information.

We’ve managed to remove Secrets for company-owned applications together with the dev team, but we’re struggling with third-party components, because many operators and Helm charts rely exclusively on Kubernetes Secrets, so we can’t remove them. I know about ESO, which is great, but it still creates Kubernetes Secrets, which is not what we want.

I agree with using Vault, but I don’t see why — or how — Kubernetes Secrets must be eliminated entirely. I haven’t found much documentation on this kind of setup.

Is this the right approach ? Should we use ESO for the missing parts ? What am I missing ?

Thank you

Top answer
1 of 5
64
Obligatory: https://www.macchaffee.com/blog/2022/k8s-secrets/
2 of 5
33
"Secure" have him explain that word to you. I could use a good laugh. Injected at runtime or mounted as env vars doesn't resolve the word "secure". The only part you're missing is security is a human problem, not a software problem
Videos
18:09
🌐 YouTube
Kubernetes Secrets Explained With Simple Examples! - YouTube
June 10, 2025
38:11
🌐 YouTube
Understanding Kubernetes Secrets - YouTube
March 17, 2025
🌐 youtube.com
Kubernetes Secrets in 5 Minutes!
14:24
🌐 YouTube
Introduction to External Secrets - Secrets Operator for Kubernetes ...
March 4, 2025
View all
View all
🌐
Spacelift
spacelift.io › blog › kubernetes-secrets
Kubernetes Secrets - How to Create, Use, and Manage
December 6, 2025 - It concludes with the best practices for using Secrets. ... Kubernetes Secrets are objects used to store and manage sensitive information such as passwords, OAuth tokens, SSH keys, and API keys.
🌐
GeeksforGeeks
geeksforgeeks.org › devops › kubernetes-secrets
Kubernetes Secrets - Secure Storage for Sensitive Data - GeeksforGeeks
1 week ago - After the saving the above file code as mysecret-file.yaml execute the file and create secrets using following command: ... Management of kubernetes secrets involves steps for securly handing sensitive data within the kubernetes cluster.
🌐
Reddit
reddit.com › r/kubernetes › how do you manage secrets in kubernetes?
r/kubernetes on Reddit: How do you manage secrets in Kubernetes?
March 11, 2024 -

I recently came across a post on LinkedIn that stated, 'In DevOps, the line between 'secrets' and 'config' is often blurred.'
I believe there are several ways to enhance secret management in Kubernetes.

Currently, I work a lot with AWS EKS, and I've found several methods to improve the security around secrets. Leveraging tools like Vault, AWS Secrets Manager, Secrets Store CSI Driver, ArgoCD with Vault Plugin, and KMS Encryption can significantly enhance Kubernetes secret management. This aligns with GitOps practices, which often face challenges when it comes to secrets, for better security.
I've written the following two articles that could help:

https://devoriales.com/post/272/boost-security-effective-management-of-kubernetes-secrets-using-aws-secrets-manager
https://devoriales.com/post/329/aws-eks-secret-encryption-securing-your-eks-secrets-at-rest-with-aws-kms

What solutions do you use for dealing with secrets in Kubernetes?

Top answer
1 of 24
68
After going through a few different options, vault included, I’ve been using this at my last two orgs https://external-secrets.io/latest/ . We leverage Aws secrets manager to hold all of our secrets. In my experience, it’s way more straightforward and simpler to use than having to deal with hashicorp vault. You can team ESO with IAM roles for authentication and also not have to deal with IAM credentials too
2 of 24
43
Another solution that I'm using in my (little) infrastructure https://github.com/bitnami-labs/sealed-secrets
🌐
Kubernetes
kubernetes.io › docs › concepts › security › secrets-good-practices
Good practices for Kubernetes Secrets | Kubernetes
June 22, 2025 - Principles and practices for good Secret management for cluster administrators and application developers. In Kubernetes, a Secret is an object that stores sensitive information, such as passwords, OAuth tokens, and SSH keys.
🌐
Cycode
cycode.com › home › the ultimate guide to kubernetes secrets: types, creation, and management
The Ultimate Guide to Kubernetes Secrets: Types, Creation, and Management - Cycode
January 1, 2026 - Kubernetes stores secrets in etcd – the database of the cluster, as base64 encoded strings by default. Though this encoding delivers a way to deal with binary data and special characters, it is not encryption.
Find elsewhere
🌐
Red Hat
cloud.redhat.com › home › learning paths › how to manage kubernetes secre...
What are Kubernetes Secrets? | How to manage Kubernetes Secrets with Red Hat OpenShift | Red Hat Hybrid Cloud
This is different from a Kubernetes Secret.A Kubernetes Secret is an object that is used to separate confidential data from an application's code, making that information safer because it isn’t exposed within the code itself.To help keep this ...
🌐
Infisical
infisical.com › blog › kubernetes-secrets-management-2025
Kubernetes Secrets Management in 2025 - A Complete Guide | Infisical Blog
December 10, 2024 - Instead of hardcoding credentials in your pod specs or baking them into container images (we've all seen those password literals in Dockerfiles), Secrets give you a dedicated place to store this sensitive stuff. https://kubernetes.io/docs/concepts/configuration/secret/
🌐
Jit
jit.io › blog › 7-tips-to-simplify-kubernetes-secrets-management
7 Tips to Simplify Kubernetes Secrets Management | Jit
August 19, 2025 - Kubernetes Secrets are objects containing private information, whether internal (business data) or external (customer data). Often, these are keys to other services like passwords, API keys, and OAuth tokens.
🌐
New Relic
newrelic.com › blog › security › kubernetes fundamentals, part 3
Creating, using, and managing Kubernetes secrets | New Relic
December 14, 2023 - You can create a secret via the Kubernetes administrator command line tool,kubectl. This tool allows you to use files or pass in literal strings from your local machine, package them into secrets, and create objects on the cluster server using ...
🌐
SpectroCloud
spectrocloud.com › homepage › blog › effective secrets management in kubernetes: a hands-on guide
Effective Kubernetes secrets management: A hands-on guide - Spectro Cloud
November 25, 2025 - They may include passwords, API keys, and other confidential data that applications and services within a cluster may need. Secrets allow you to separate sensitive information from the application's code and configuration files.
🌐
OpenBao
openbao.org
OpenBao
OpenBao can generate secrets on-demand for some systems, such as Kubernetes or SQL databases.
🌐
Reddit
reddit.com › r/devops › what’s the point of kubernetes secrets?
r/devops on Reddit: What’s the point of kubernetes secrets?
February 16, 2020 -

Kubernetes Secrets are just a base64 encoding of some text. If intercepted, it’s easily decoded. Why not encrypt secrets and then just use a ConfigMap? The code running in the container would have to know how to decrypt the secret.

I’d like to hear a little more about good security practices regarding secrets in kubernetes.

Edit: It seems like at the end of the day, you still need TLS everywhere. The Secrets API is more about limiting access via RBAC, not for securely managing sensitive information. Understanding it as an authorization tool makes more sense to me now.

Top answer
1 of 13
51
The base64 encoding is because you might want to stick some binary in a Secret without mangling, not to protect the content from eyes. Secrets should be encrypted at rest in etcd: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
2 of 13
17
configmaps are generic blobs of text. Secrets have specific types - there is generic (blob of text), but we also have docker-registry and tls type secrets, which have certain content requirements. Secrets also have separate API level access from configmaps. If you don't trust kubernetes to keep your secrets safe (and I'm not saying you should - there are well-known risks ) then you're better off using something like Vault and having the application read it on demand, thus not even storing the secrets in-cluster at all.
🌐
Medium
medium.com › @rajeshmamuddu › kubernetes-secrets-0e4a6413ac69
Kubernetes Secrets,. What are they and How to Use them | by rajeshmamuddu | Medium
November 30, 2023 - For example, Opaque secrets are the most commonly used type of secret and can be used to store any type of sensitive data, while TLS secrets are specifically designed to store TLS certificates and keys for secure communication. To create and use a Kubernetes Secret, follow these steps:
🌐
External Secrets
external-secrets.io
External Secrets Operator: Introduction
Redirecting to latest/
🌐
DEV Community
dev.to › canelasevero › yet-another-rant-in-favor-of-kubernetes-secrets-432k
Yet another rant in favor of Kubernetes Secrets - DEV Community
August 3, 2023 - The base64 encoding of Kubernetes secrets was never intended as a security measure. It does not exist to obscure or hide any values. The decision to implement this encoding method was initially made to enable the secrets to accommodate binary data. If the secrets were structured as simple maps, perhaps there would be less confusion.
🌐
Release
release.com › blog › kubernetes-secrets-management-a-practical-guide
Kubernetes Secrets Management: A Practical Guide | Release
August 31, 2022 - As we mentioned, a critical aspect ... You may be surprised to hear that, but Kubernetes secrets are not encrypted and can be easily read by anyone with access to the cluster....
🌐
Medium
medium.com › @ravipatel.it › mastering-kubernetes-secrets-a-comprehensive-guide-b0304818e32b
Mastering Kubernetes Secrets: A Comprehensive Guide | by Ravi Patel | Medium
June 12, 2024 - Decoupling Configuration: Secrets allow you to separate sensitive configuration data from your application code and container images. Ease of Use: Kubernetes provides built-in mechanisms to use Secrets in your pods and containers easily.
Related queries
kubernetes secrets manager
kubernetes secrets encryption
kubernetes secrets vs vault
kubernetes secrets example
kubernetes secrets vault
kubernetes secrets operator
kubernetes secrets best practices
kubernetes secrets vs configmap