MireCloud Homelab Series — Part 8 May 8, 2026 · Emmanuel Steven Catin · 12 min read Kubernetes HashiCorp Vault Cilium Tetragon DevSecOps Zero Trust TL;DR — Vault dynamic secrets give every pod a unique, time-limited PostgreSQL credential that rotates automatically every 5 minutes — without restarting the pod, without touching the application. That credential is gone before an attacker can do anything with it. And yet, an attacker with a shell inside the pod can read the current one in under a second. This article proves the gap on a live cluster, then closes it at the kernel level. Where We Left Off Part 7 was about proving, with raw bytes from etcdctl , that the industry-default Kubernetes setup stores every secret as plaintext on disk — and then closing that gap with two controls: Encryption at Rest — defeated the adversary who steals a disk or exfiltra...
MireCloud Series · Part 7 · DevSecOps Your Kubernetes Secrets Are Not Safe. Here's the Forensic Proof — and the Fix. Why your Vault + ESO setup leaks plaintext credentials into etcd, and how to close the gap with Encryption at Rest and the Vault CSI Driver. Zero Trust ⏱ ~15 min read ☸ Kubernetes v1.34 Reproducible lab Kubernetes v1.34 HashiCorp Vault External Secrets Operator Secrets Store CSI Driver AES-CBC / AES-GCM / KMS v2 etcdctl ArgoCD Cilium Gateway API ▸ TL;DR If you run HashiCorp Vault with External Secrets Operator on Kubernetes, your application secrets are stored as plaintext bytes in etcd . Any operator with kubectl get secrets , any backup of your control plane, or any disk that ever held an etcd snapshot can recover them in seconds. This post proves it with a hexdump from a live cluster, then closes the gap with two layered controls: Encryption at Rest to prot...