Kubernetes HashiCorp Vault Falco DevSecOps Zero Trust Vault dynamic secrets are elegant. Every pod gets a unique PostgreSQL identity that lives for 5 minutes, then dies. By the time an attacker does anything with a leaked credential, it's already gone. At least, that's the theory. This article is about the gap between the theory and what actually happens when someone gets a shell inside your pod — and how Falco closes it at the detection layer. Part 9 closes it at the kernel level with Tetragon. Where We Left Off Part 8 closed two concrete threats. First, encryption at rest — an attacker who steals a disk or exfiltrates an etcd backup gets nothing useful. Second, the Vault CSI Driver — Kubernetes Secrets no longer exist at all, so anyone with kubectl get secrets sees an empty list. Those were relatively clean wins. The threat we deferred at the end of Part 7 and 8 is harder: A3 — Compromised workload. Pod exec, sidecar abuse, mounted ServiceAccount token. ...
MireCloud Homelab Series — Part 8 May 8, 2026 · Emmanuel Steven Catin · 12 min read Kubernetes HashiCorp Vault Cilium Tetragon DevSecOps Zero Trust TL;DR — Vault dynamic secrets give every pod a unique, time-limited PostgreSQL credential that rotates automatically every 5 minutes — without restarting the pod, without touching the application. That credential is gone before an attacker can do anything with it. And yet, an attacker with a shell inside the pod can read the current one in under a second. This article proves the gap on a live cluster, then closes it at the kernel level. Where We Left Off Part 7 was about proving, with raw bytes from etcdctl , that the industry-default Kubernetes setup stores every secret as plaintext on disk — and then closing that gap with two controls: Encryption at Rest — defeated the adversary who steals a disk or exfiltra...