By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded. And this is fine — at least, this is what Mac argues in this episode of KubeFM. Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked. In this episode, you will learn: How to define a threat model to inform your security posture and mitigations. How Kubernetes Secrets offer sufficient guarantees for most common threat models. If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing). Mac also covers tips and advice on becoming a security expert. Find all the links and info for this episode here: https://kube.fm/kubernetes-secrets-mac Links Plain Kubernetes secrets are fine FluxCD kube-prometheus-stack Prometheus Operator Alert Manager Prometheus Grafana Gatekeeper Helm charts Gatekeeper policy for privilege pods Gatekeeper policy for Ingresses with wildcard hostnames Argo CD Kubernetes secrets etcd Base64 Threat model Formal methods to threat modeling Bitnami Sealed Secrets Hashicrop Vault Vault Shamir secret sharing Vault auto-unsealing HSM backed Vault Vault HA configuration "keep it secret, keep it safe." — Gandalf SWOT analysis Chaos Engineering by Kelly Shortridge