CNCFKubernetesContainer OrchestrationBeginner27 min read

What Does Secrets Management Mean?

Also known as: Secrets Management, Kubernetes Secrets, CKA secrets, HashiCorp Vault, dynamic secrets

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Secrets Management means keeping important private information safe. Think of passwords, encryption keys, or tokens that computer programs need to use. Instead of writing them in code or leaving them in a file, you store them in a special secure vault. The vault controls who can see the secrets and automatically refreshes them when needed.

Must Know for Exams

The term Secrets Management appears prominently in the CNCF CKA (Certified Kubernetes Administrator) exam, specifically under the domain “Workloads and Scheduling” and “Security.” The CKA curriculum requires candidates to understand Kubernetes Secrets as a native resource type and to know how to use them securely. You will be expected to create Secrets from literal values and from files, consume Secrets as environment variables in Pods, mount Secrets as volumes, and update Secrets without restarting applications.

Beyond the CKA, Secrets Management is a major topic in the CKAD (Certified Kubernetes Application Developer) exam, where developers must know how to inject Secrets into applications without exposing them in container images or manifests. The KCNA (Kubernetes and Cloud Native Associate) exam also covers basic concepts of Secrets Management at a conceptual level. For the CKS (Certified Kubernetes Security Specialist) exam, Secrets Management is central. You are tested on encrypting Secrets at rest using KMS providers, configuring etcd encryption, and implementing external secrets with solutions like HashiCorp Vault or AWS Secrets Manager. The CKS exam also covers audit logging on Secrets access and restricting access to Secrets via RBAC.

Exam questions related to Secrets Management typically ask you to create a Secret, reference it in a Pod, and verify that the Pod can access it. A common trap is that Kubernetes Secrets are not encrypted by default — they are only base64-encoded, which is not a security mechanism. The exam expects you to know this and to recommend or configure encryption at rest. Another frequent topic is the difference between using Secrets as environment variables versus volume mounts: the latter is safer because it avoids exposing the secret in process environment dumps or logs. You may also see questions about updating Secrets: a volume-mount automatically updates the file content when the Secret changes, but environment variables do not update without a Pod restart.

To master these exam objectives, you should practice the kubectl create secret command, understand the structure of Secret YAML manifests (type: Opaque, type: kubernetes.io/tls, etc.), and know how to decode a Secret value with kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 --decode. Understanding how Secrets integrate with Services, Ingress (for TLS certificates), and Pod Security Policies is also valuable for the exams.

Simple Meaning

Imagine you live in a large apartment building. Every resident has a key that opens the main door, their apartment door, and the mailbox. Now imagine that instead of keeping those keys in a safe place, you tape them to the wall of the lobby for anyone to grab. That is the old way of handling passwords and certificates in software. Secrets Management is like having a secure lockbox in the manager’s office. When a resident needs their key, they go to the manager, prove who they are, and the manager hands them the key for exactly as long as they need it. When they are done, the key is put back or replaced with a new one.

In computer terms, secrets are things like database passwords, API keys, SSH private keys, and TLS certificates. Applications need these secrets to talk to databases, cloud services, or other microservices. If you put the secret directly in your code, anyone who sees the code can read the secret. If you store it in a plain text file, anyone who gets access to the file can use it. Secrets Management provides a secure vault — a protected service — that stores all these secrets in encrypted form. Only authorized applications and users can retrieve them, and only after proving their identity. The vault also rotates secrets regularly, meaning it changes the password or key automatically so that even if an old secret leaks, it becomes useless quickly.

Think of it like a library where you borrow a rare book. You cannot just walk into the stacks. You show your library card to the librarian, the librarian checks that you are allowed to borrow that book, records that you have it, and hands it to you. When you return it, the librarian may stamp it with a new due date. In software, the vault (librarian) checks the identity of the app (patron) using authentication plugins, logs every access, and can revoke access at any time. This central, controlled approach is what Secrets Management is all about.

Full Technical Definition

Secrets Management is a set of policies, tools, and processes used to control the lifecycle of sensitive credentials in a computing environment. Core components include a secrets store (often called a vault), an access control layer, an encryption engine, and an audit log. The most common open-source solution is HashiCorp Vault, but Kubernetes native tools like External Secrets Operator and cloud services like AWS Secrets Manager, Azure Key Vault, and Google Secret Manager are also widely used.

At a technical level, a secret is any piece of data that grants access to a protected resource. Secrets are stored inside the vault at rest, encrypted using a strong algorithm such as AES-256. The vault itself holds an encryption key (the master key) that protects all stored secrets. When an application needs a secret, it authenticates to the vault using a mechanism such as a client certificate, a Kubernetes service account token, or an API token. After authentication, the vault verifies the application’s authorization against a policy — for example, a HashiCorp Vault policy that says “app-frontend can read secrets under path secret/data/frontend/”. If authorized, the vault decrypts the secret in memory and returns it to the application over a TLS-encrypted connection. The application then uses the secret (for example, to connect to a database) and ideally never writes the secret to disk.

A critical feature is dynamic secrets. Instead of storing a static password, the vault can generate a temporary credential on demand — for example, a database username and password that expires after 5 minutes. Once the time is up, the vault revokes the credential automatically. This eliminates the risk of a long-lived secret being stolen and reused. Another key feature is secret rotation. Static secrets can be automatically updated by the vault on a schedule, and all downstream clients can pick up the new version without manual intervention.

In a Kubernetes environment, Secrets Management is often implemented using a sidecar container or a mutating admission webhook. The sidecar (like Vault Agent) runs in the same pod as the application, authenticates to the vault, and writes the secret to a shared in-memory volume (tmpfs). The application reads the secret from that volume as a file. Kubernetes native Secrets objects exist but are only base64-encoded by default, not encrypted, so they are not considered secure. To encrypt Kubernetes Secrets at rest, you must enable encryption at rest in the kube-apiserver and use a KMS provider like AWS KMS or a vault-backed KMS. This is a critical exam topic for the CNCF CKA certification. Real-world implementations also include secret leasing, where the vault issues a lease with a time-to-live, and renewal mechanisms using the vault API.

Real-Life Example

Think of a large office building with 20 floors and 500 employees. Every employee needs a key card to enter the building, access their floor, and unlock the supply closet. In the old way, building management would hand every employee a single permanent key card that works everywhere. If an employee quits, they keep the card — or worse, copies of it. That is the equivalent of hardcoding a password in a script that lives on a shared drive.

Secrets Management is like installing a modern key card system with a central control panel. The control panel is the vault. Each employee (or application) gets a unique identity, such as a badge number. When an employee arrives at the building, they swipe their badge at the turnstile. The turnstile asks the central control panel: “Is badge 1234 allowed to enter today?” The panel checks a policy database. If the employee is a security guard, they get access to all floors. If they are an intern, they only get access to the ground floor. The panel also logs the time of entry.

Now imagine the supply closet — the sensitive resource. The closet has a digital lock. An employee needs to fetch a new laptop. They do not walk around with a universal key. Instead, they go to the control panel and request a “digital token” for the closet. The panel issues a temporary code that works for exactly one hour. The employee uses it, and after an hour the code expires. If someone else later finds that code written on a sticky note, it no longer works. This is exactly how dynamic secrets work in software: the vault issues a temporary database password that self-destructs after a short time. The office manager can also automatically change all permanent keys every month (rotation) without anyone having to visit a locksmith. The entire system reduces the risk of a stolen badge, because the badge alone is useless without the central panel also allowing access. That central panel is your secrets vault.

Why This Term Matters

In real IT work, secrets are everywhere. Every time a backend service connects to a database, it uses a password. Every time a microservice calls another microservice over TLS, it uses a certificate. Every time a CI/CD pipeline deploys code to a cloud environment, it uses an API key. If any of these secrets leaks, an attacker can gain access to the database, impersonate the service, or hijack the deployment. The cost of a secret leak is severe — data breaches, regulatory fines, and reputational damage.

Secrets Management matters because it removes the human error factor. Developers no longer need to paste passwords into configuration files, commit them to Git repositories, or share them over Slack. The vault becomes the single source of truth. Access is controlled by policy, not by copying files. Rotation is automated, so compromised secrets are only valid for a short window. Audit logs show exactly who accessed which secret and when, which is essential for compliance frameworks like SOC 2, PCI DSS, and HIPAA.

For system administrators, Secrets Management simplifies operations. When a database password is rotated, the vault can push the new password to all consuming applications without a restart. In a Kubernetes cluster, this means zero-downtime credential updates. For cloud infrastructure, it means you can use a cloud native vault service that integrates with IAM roles, so an EC2 instance can get its database password without ever storing it on disk. Secrets Management also supports multi-cloud and hybrid deployments. A single vault can serve on-premise applications and cloud workloads with the same policy engine, which reduces complexity and ensures consistent security posture.

For IT certification learners, especially those preparing for the CNCF CKA exam, Secrets Management is a core operational skill. The CKA exam tests your ability to create, use, and secure Kubernetes Secrets. But more broadly, any production environment without proper Secrets Management is an incident waiting to happen. Understanding how to implement it securely is a fundamental requirement for any DevOps, SRE, or platform engineer role.

How It Appears in Exam Questions

In certification exams, Secrets Management appears in several question formats. The most common is the creation and usage question: “You need to deploy a Pod that reads a database password from a Secret named db-secret. Write a YAML manifest to accomplish this.” The candidate must create a Secret resource and a Pod manifest that references that Secret either as an environment variable (secretKeyRef) or as a volume mount.

Scenario-based questions also appear frequently. For example: “A developer has hardcoded a password in a ConfigMap. The security team demands that the password be stored in a Secret and mounted into the Pod as a file. Modify the given manifests to achieve this.” This tests the candidate’s ability to convert a ConfigMap to a Secret and adjust the volume mount paths. Another scenario might describe a microservice that needs to authenticate to an external API using a token that rotates every hour. The question asks how to automatically refresh the token without restarting the Pod. The correct answer involves using a sidecar that polls the vault and writes the token to a shared volume, or using a volume mount that watches for Secret updates.

Troubleshooting questions are also common. Example: “A Pod fails to start with the error ‘MountVolume.SetUp failed for volume secret-volume’. What is the most likely cause?” The answer could be that the Secret does not exist, the Pod’s namespace is wrong, or the Secret has been misconfigured. Another troubleshooting pattern: “An application is able to read the secret from an environment variable, but when the secret is updated, the application still uses the old value.” This tests the understanding that environment variables are not automatically updated, whereas volume mounts are (with a short delay).

Architecture questions might ask: “Which approach is more secure for storing secrets in a Kubernetes cluster: using native Secrets with encryption at rest enabled, or using an external secrets vault with a sidecar?” The answer should compare the two — native Secrets are simpler but require etcd encryption, while an external vault provides dynamic secrets and better audit but adds complexity. The exam may also present a multi-choice question about the proper way to pass a TLS certificate to an Ingress: creating a Secret of type kubernetes.io/tls and referencing it in the Ingress spec. For the CKS exam, you may encounter a question about configuring etcd encryption using a KMS provider, where you must edit the kube-apiserver configuration to specify the encryption provider (aescbc or kms) and the corresponding key.

Study cncf-cka

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a Kubernetes administrator for a company that runs an e-commerce platform. The frontend Pod needs to connect to a PostgreSQL database that stores customer orders. The database password is currently stored as a plaintext environment variable in the frontend deployment YAML file. This YAML file is stored in a Git repository that every developer can access.

During a routine security audit, the compliance team flags this as a critical vulnerability. Your task is to remove the password from the environment variable and instead store it in a Kubernetes Secret. You create a Secret named db-password in the same namespace as the frontend. The Secret contains a key called password with the base64-encoded value of the database password. You then modify the frontend Deployment manifest to mount this Secret as a volume at /etc/secrets. The frontend application is updated to read the password from the file /etc/secrets/password instead of from an environment variable.

Now, even if someone gains access to the Git repository, they cannot see the password because the YAML file no longer contains it. Access to the Secret can be further restricted using Kubernetes RBAC, so only the frontend service account can read it. The company also rotates the database password every 30 days. You update the Secret with the new password, and the frontend Pod automatically picks up the change within 60 seconds (due to the volume mount refresh), without any downtime. This scenario demonstrates a real-world application of Secrets Management: moving from insecure hardcoding to a secure, centralized, and auditable secret store.

Common Mistakes

Believing Kubernetes Secrets are secure by default because they are called 'Secrets'.

Kubernetes Secrets are only base64-encoded, not encrypted by default at rest. Anyone with access to etcd or who can run 'kubectl get secrets -o yaml' can decode the values. They are not a security solution out of the box.

Always enable encryption at rest for Secrets in Kubernetes. This is done by configuring the kube-apiserver with an encryption configuration file that uses AES-CBC or a KMS provider.

Using environment variables to inject secrets into a Pod.

Environment variables are readable from the Pod's process list, and can be leaked in error logs or by using `kubectl exec` to inspect the container's environment. They are also not automatically updated when the Secret changes.

Prefer mounting Secrets as volumes. This keeps the secret data in a file on a tmpfs volume (in-memory), and when the Secret is updated, the file content is automatically refreshed (though the application must re-read the file).

Committing Secret YAML manifests to a public or shared Git repository.

Even if the values are base64-encoded, base64 is not encryption. Anyone with access to the repository can decode the secret immediately, exposing passwords, tokens, or certificates.

Never store raw Secret manifests in version control. Use a tool like Sealed Secrets (Bitnami), Helm Secrets, or an external vault to generate Secrets at deploy time. Or store the encrypted values in Git and decrypt them with a CI/CD pipeline using a vault.

Assuming a Secret with type 'Opaque' is the only way to store sensitive data.

Kubernetes has other Secret types like 'kubernetes.io/tls' for TLS certificates and 'kubernetes.io/dockercfg' or 'kubernetes.io/dockerconfigjson' for image registry authentication. Using the wrong type can cause the data to be ignored or cause errors.

Use the correct Secret type for the use case. For TLS certificates, always use type: kubernetes.io/tls with keys 'tls.crt' and 'tls.key'. For Docker registry credentials, use type: kubernetes.io/dockerconfigjson with the .dockerconfigjson key.

Forgetting to set Kubernetes RBAC to restrict access to Secrets.

By default, any user or service account with full access to the namespace can list and read all Secrets. This defeats the purpose of having a dedicated secret store.

Create a Role that grants 'get, list, watch' permissions on Secrets only to specific service accounts, and bind that Role using a RoleBinding. This way, only the Pods that need the Secret can access it.

Using a single static password that never expires.

Static secrets are dangerous because if they are ever compromised, the attacker has indefinite access. There is no automatic mechanism to revoke or rotate them.

Implement dynamic secrets or short-lived secrets where possible. If using static secrets, set up an automated rotation policy that updates the Kubernetes Secret regularly and forces the application to pick up the new version.

Exam Trap — Don't Get Fooled

A question asks: 'You have created a Secret and referenced it as an environment variable in a Pod. You update the Secret. Does the Pod automatically get the new value?' Many learners answer 'Yes' because they know secrets can be updated, but they forget that environment variables are not automatically refreshed.

Memorize this rule: Secrets consumed as environment variables are set at Pod startup and never update. Secrets consumed as volume mounts are automatically updated (with a delay of about 60 seconds) when the Secret changes. In the exam, if the question does not mention a volume mount, the answer is 'No' for env var updates.

Commonly Confused With

Secrets ManagementvsConfigMap

A ConfigMap is designed for non-sensitive configuration data like application settings, while a Secret is designed for sensitive data like passwords and keys. ConfigMaps store data in plaintext, whereas Secrets store data base64-encoded by default. Both can be injected into Pods similarly, but Secrets have additional security features like encryption at rest.

You store the application's log level ('debug') in a ConfigMap. You store the database password ('Passw0rd!') in a Secret. If you accidentally put the password in a ConfigMap, it would be visible to anyone with access to the ConfigMap.

Secrets ManagementvsEncryption at Rest

Encryption at rest is a mechanism that encrypts data (including Secrets) when they are written to etcd storage. Secrets Management is the broader practice of storing, accessing, and rotating secrets. Encryption at Rest is one component of a secure Secrets Management strategy, but it does not replace the need for access control or dynamic secrets.

You enable Encryption at Rest in your Kubernetes cluster so that even if someone steals the etcd backup files, they cannot read the Secrets without the encryption key. This is part of good Secrets Management, but you still need RBAC to control who can read the Secrets.

Secrets ManagementvsVault Agent Sidecar

A Vault Agent sidecar is a specific implementation pattern for Secrets Management. The sidecar is a container that runs alongside your app container in a Pod, authenticates to HashiCorp Vault, and writes secrets to a shared volume. This is a more advanced, production-grade approach compared to using native Kubernetes Secrets, because it supports dynamic secrets and automatic rotation without changing the Pod.

Your app needs a database password that changes every 5 minutes. Instead of creating a new Kubernetes Secret every time, you deploy a Vault Agent sidecar that fetches a temporary password from Vault and writes it to a file. Your app reads that file. When the password expires, the sidecar fetches a new one.

Secrets ManagementvsSealed Secrets

Sealed Secrets is a tool that allows you to encrypt a Kubernetes Secret into a 'SealedSecret' custom resource that can be safely stored in Git. The encryption is done using a public key, and only the Sealed Secrets controller in the cluster can decrypt it into a regular Secret. This is not the same as native Secrets Management because the sealed secret is for secure storage in version control, not for runtime access control or rotation.

You want to commit your database password to Git so your CI/CD pipeline can deploy it. You create a SealedSecret resource from your Secret using kubeseal. The SealedSecret YAML is safe to commit because only your cluster can decrypt it. When the pipeline applies the SealedSecret to the cluster, the controller creates the actual Secret.

Step-by-Step Breakdown

1

Identify the secret and its purpose

Determine what sensitive data needs to be protected — for example, a database password, an API token, or a TLS certificate. Classify its sensitivity and decide which applications need access to it. This step ensures you only store truly sensitive data in the secrets vault and avoids overloading it with non-sensitive configuration.

2

Choose a secrets store

Select the appropriate secrets management solution based on your environment. For a Kubernetes cluster, you might use native Kubernetes Secrets, HashiCorp Vault, AWS Secrets Manager, or External Secrets Operator. Consider factors like need for dynamic secrets, rotation automation, compliance requirements, and integration with your existing infrastructure. The choice affects how you manage access and lifecycle.

3

Create the secret in the store

Store the actual secret value inside the chosen vault. For Kubernetes Secrets, you use `kubectl create secret generic` or write a YAML manifest. For external vaults, you use the vault CLI, API, or web UI. The secret is encrypted at rest in the store. This step also includes defining metadata like a name, namespace, and type (e.g., Opaque, TLS, dockerconfigjson).

4

Define access policies (authentication and authorization)

Configure who or what can retrieve the secret. In Kubernetes, this means creating RBAC rules (Role and RoleBinding) that grant specific service accounts permissions to get and list Secrets. In HashiCorp Vault, you write policies that define paths and capabilities. You also set up authentication methods — for example, a Kubernetes service account token for Vault, or an IAM role for AWS Secrets Manager. This step is critical for security.

5

Inject the secret into the consuming workload

Make the secret available to the application without exposing it in logs, environment variables, or configuration files. The most secure method is to mount the secret as a volume in the Pod. For Kubernetes native Secrets, you add a volume entry in the Pod spec referencing the Secret, then a volumeMount in the container. For external vaults, you use a sidecar or init container that fetches the secret and writes it to a shared emptyDir volume. The application reads the secret from the file path.

6

Enable secret rotation and refresh

Set up a process to periodically change the secret value. For static secrets in Kubernetes, you update the Secret resource, and volume-mounted files will be refreshed automatically after a short delay (typically 60 seconds). For dynamic secrets, the vault issues a temporary credential that expires, and the sidecar or app must re-fetch. Rotation reduces the window of exposure if a secret is compromised.

7

Audit and monitor secret access

Enable logging on every access to the secret store. Kubernetes audit logs capture every API call, including get, list, and watch on Secrets. HashiCorp Vault provides detailed audit logs at the request level. Monitor these logs for unusual patterns — for example, a service account that never accessed a secret before suddenly reading it multiple times. Regular audits help detect breaches early and satisfy compliance requirements.

Practical Mini-Lesson

Let us walk through implementing Secrets Management in a real Kubernetes environment. Suppose you have a Node.js application that connects to a MongoDB database. The MongoDB password is currently in a file called config.js inside the Docker image. This is incredibly insecure because anyone who pulls the image can extract the password.

Step 1: You decide to use native Kubernetes Secrets because the cluster is small and you only need static rotation. First, encode the password: echo -n 'myMongoPass' | base64 yields bXlNb25nb1Bhc3M=. You create a YAML file called mongo-secret.yaml with apiVersion: v1, kind: Secret, metadata: { name: mongo-pass, namespace: production }, type: Opaque, and data: { password: bXlNb25nb1Bhc3M= }. Apply it with `kubectl apply -f mongo-secret.yaml`.

Step 2: Next, you need to make sure only the Node.js Pod can read this Secret. You create a ServiceAccount called mongo-app in the production namespace. Then you create a Role that grants get and list on Secrets. You bind that Role to the mongo-app ServiceAccount with a RoleBinding. Now, the Node.js Pod must use this service account. In the Deployment spec, you set spec.template.spec.serviceAccountName: mongo-app.

Step 3: Inject the secret as a volume. You add a volume named mongo-secret-vol of type secret, with secretName: mongo-pass. In the container spec, you add a volumeMount for /etc/secrets/mongo with mountPath: /etc/secrets/mongo. Inside the container, the file /etc/secrets/mongo/password will contain the decoded password.

Step 4: Modify the Node.js app to read the password from a file instead of from the environment. You change the config.js to read fs.readFileSync('/etc/secrets/mongo/password', 'utf8').trim(). This is safer because if someone kubectl exec into the container and runs env, they see nothing about the password.

Step 5: Set up rotation. Every month, the security team changes the MongoDB password. You edit the Secret with `kubectl edit secret mongo-pass -n production`, update the data field with the new base64-encoded password, and save. Within about one minute, the file in the Pod updates automatically. However, the Node.js application does not automatically re-read the file — it only reads it once at startup. To handle this, you need to implement a file watcher in your app that re-reads the file when it changes, or you restart the Pods. A better approach for production is to use a sidecar like consul-template or Vault Agent that manages the file and signals the app.

What can go wrong? If you forget to encode the password correctly (e.g., using echo without -n adds a newline), the connection will fail. If you use environment variables instead of a volume mount, password rotation will not take effect until the Pod is restarted. If you do not set proper RBAC, any Pod in the namespace can read the Secret. If you commit the Secret YAML to Git, your secret is exposed in the repo history. For exam purposes, always remember that Secrets are not secure by default and must be protected with encryption at rest and RBAC.

Broader context: Secrets Management connects directly to identity and access management (IAM), compliance auditing, and DevOps security. A good secrets practice reduces the blast radius of a compromised container, because even if an attacker gets into your container, they only see the secrets that container needs, and those secrets may already be expired if you use dynamic secrets.

Memory Tip

For CKA exam, remember BASE64 is NOT ENCRYPTION. Memorize the phrase 'Mount don't Env' — use volume mounts instead of environment variables for secrets, and enable encryption at rest for the full security picture.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between a Kubernetes Secret and a ConfigMap?

A ConfigMap stores non-sensitive configuration in plain text, while a Secret stores sensitive data like passwords and keys in base64-encoded form. Both can be injected into Pods, but Secrets have additional security features like encryption at rest support and are intended for confidential data.

Are Kubernetes Secrets encrypted by default?

No. By default, Kubernetes Secrets are only base64-encoded, which is not a secure encryption method. To secure them at rest, you must enable encryption in the kube-apiserver configuration using an encryption provider like AES-CBC or a KMS provider.

Can I update a Kubernetes Secret without restarting the Pod?

Yes, if the Secret is mounted as a volume. The file content in the volume is automatically refreshed after about 60 seconds. However, if the Secret is injected as an environment variable, the Pod must be restarted to pick up the new value.

What is a dynamic secret in the context of Secrets Management?

A dynamic secret is a temporary credential generated on demand by a secrets vault, such as a database password that expires after a short time. The vault creates the credential, gives it to the application, and automatically revokes it when the lease expires. This is more secure than a static secret.

How do I restrict which Pods can access a specific Kubernetes Secret?

Create a Kubernetes ServiceAccount for the Pod, then create an RBAC Role that allows get/list on Secrets, and bind that Role to the ServiceAccount using a RoleBinding. Set the Pod's serviceAccountName to that ServiceAccount. This ensures only that Pod can read the Secret.

What is a SealedSecret and how is it different from a regular Secret?

A SealedSecret is a custom resource that encrypts a Kubernetes Secret so it can be safely stored in Git. The encryption uses a public key, and only the Sealed Secrets controller in the cluster can decrypt it into a regular Secret. It is for secure storage in version control, not for runtime secrets management.

Should I use native Kubernetes Secrets or an external vault like HashiCorp Vault?

Native Secrets are simpler and good for basic use cases with static secrets and encryption at rest enabled. An external vault provides advanced features like dynamic secrets, automatic rotation, fine-grained audit logging, and cross-cloud capabilities. Choose based on your security requirements and operational complexity.

Summary

Secrets Management is a fundamental security practice in modern IT infrastructure, especially for cloud native environments like Kubernetes. It involves storing, controlling access to, and rotating sensitive information — such as passwords, API keys, and certificates — in a secure and automated way. Without proper Secrets Management, credentials are often hardcoded in code, stored in plaintext configuration files, or committed to version control, all of which create severe security risks.

In the context of the CNCF CKA and other Kubernetes certifications, you must understand that native Kubernetes Secrets are not secure by default: they are only base64-encoded and require additional measures like encryption at rest and RBAC to be safe. The exams test your ability to create, inject, and update Secrets using volumes rather than environment variables, and you should be aware of the difference between static and dynamic secrets. For production systems, consider using an external vault like HashiCorp Vault for advanced features like dynamic credentials and automatic rotation.

Remember the key exam traps: base64 is not encryption, environment variables do not update automatically, and Secrets should never be stored in Git without encryption. Mastering Secrets Management will not only help you pass your certification but also make you a more effective and security-conscious engineer.