MireCloud Series · Part 7 · DevSecOps Your Kubernetes Secrets Are Not Safe. Here's the Forensic Proof — and the Fix. Why your Vault + ESO setup leaks plaintext credentials into etcd, and how to close the gap with Encryption at Rest and the Vault CSI Driver. Zero Trust ⏱ ~15 min read ☸ Kubernetes v1.34 Reproducible lab Kubernetes v1.34 HashiCorp Vault External Secrets Operator Secrets Store CSI Driver AES-CBC / AES-GCM / KMS v2 etcdctl ArgoCD Cilium Gateway API ▸ TL;DR If you run HashiCorp Vault with External Secrets Operator on Kubernetes, your application secrets are stored as plaintext bytes in etcd . Any operator with kubectl get secrets , any backup of your control plane, or any disk that ever held an etcd snapshot can recover them in seconds. This post proves it with a hexdump from a live cluster, then closes the gap with two layered controls: Encryption at Rest to prot...
Welcome to Emmanuel Steven's Blog! 🎯 Passionate about IT and new technologies, I share my expertise in DevOps, cloud infrastructure (AWS, Azure, Kubernetes), data analysis tools, and more. Whether you're a beginner or an experienced professional, this blog offers valuable resources to enhance your skills and optimize your projects.