DEV Community

How to store a secret on Kubernetes?

Omer Levi Hevroni on January 09, 2019

At Soluto, we're using Kubernetes platform in production for more than a year. One of the challenges we faced is secrets management, which is not a...

Read full post

Joe Hobot • Jan 11 '19

Hmm.. :) interesting!

Let me take a peek at it and let you know how it goes. By the way, we are kind of riding the same boat however sealed secrets is least amount of effort atm.

Have you tried anything like Vault etc?

Omer Levi Hevroni • Jan 11 '19

Sealed secret solved the problem in a different way. It let you create encrypted Kubernetes secrets, which has a few downsides:

If you want to mount the secrets as a file, you usually end up with a secret containing one entry config.secrets.json. The value is base64 encoded value of the JSON, and modifying it is a cumbersome process. Kamus supports native JSON file, where you can encrypt only the values.
- Sealed Secret does not support "one-way encryption". To change a secret one must be able to decrypt the secret. Kamus does not require that.
- Sealed secret use one key pair to encrypt all the secrets (as the master key). Kamus create one key per service account, and this key can be backed up by HSM.

One last comment regarding Vault. Vault has 2 options:

Secure key-value store. This is a common use case, and if you're already using it Kamus might not be of that value. If you don't use it currently, Vault has some overhead, including deploying and the need to manage additional permission model (Vault policies). Kamus has flattened, simple permission model, make it easier for devs to work with.
Encryption as a service. Similar to Kamus, but without the full flow. Kamus has support for full flow, from encryption to consuming by a pod. Kamus can add support to encrypt the secrets using Vault EAAS, it should be really simple. Currently, there is support for Azure KeyVault and GCP KMS (it took me ~3 hours to add the support for GCP KMS).