Different secret types in Kubernetes
As mentioned in the introduction to this chapter, Kubernetes comes with a default secrets implementation. This default implementation will store secrets in the etcd database that Kubernetes uses to store all object metadata. When Kubernetes stores secrets in etcd, it will store them in base64-encoded format. Base64 is a way to encode data in an obfuscated manner but is not a secure way of doing encryption. Anybody with access to base64-encoded data can easily decode it. AKS adds a layer of security on top of this by encrypting all data at rest within the Azure platform.
The default secret implementation in Kubernetes allows you to store multiple types of Secrets:
- Opaque secrets: These can contain any arbitrary user-defined secret or data.
- Service account tokens: These are used by Kubernetes pods for built-in cluster RBAC.
- Docker config secrets: These are used to store Docker registry credentials for Docker command-line configuration...