search

πŸ”Kubernetes Secrets Are Not Encrypted Labs

hashtag
🎯 Objective

Show that Kubernetes Secrets are only base64-encoded by default and not securely encrypted at rest without additional configuration.

hashtag
🧰 Prerequisites

  • Kubernetes cluster

  • kubectl configured

  • Admin access to the cluster

hashtag
πŸ”Ή Lab 1: Create a Simple Kubernetes Secret

kubectl create secret generic demo-secret   --from-literal=username=admin   --from-literal=password='SuperSecret123'

βœ… A secret named demo-secret is created.

hashtag
πŸ”Ή Lab 2: View the Secret Using kubectl

kubectl get secret demo-secret -o yaml

βœ… Output:

πŸ” The password and username fields are base64 encoded, not encrypted.

hashtag
πŸ”Ή Lab 3: Decode the Secret Locally

Decode the username:

Decode the password:

βœ… You retrieve the original credentials easily with base64.

hashtag
πŸ”Ή Lab 4: Check How Secrets Are Stored in etcd

⚠️ Warning: Direct access to etcd is needed for real inspection; we simulate this.

hashtag
Simulate reading etcd storage

If you had direct etcd access (example from /var/lib/etcd), you'd see that the stored secrets are still base64-encoded.

This proves that without encryption at rest enabled, secrets are only encoded β€” not securely encrypted.

hashtag
πŸ”Ή Lab 5: How to Enable Secret Encryption (for Real Protection)

Edit the Kubernetes API server manifest (usually /etc/kubernetes/manifests/kube-apiserver.yaml) to include:

Sample encryption-config.yaml:

βœ… This encrypts Secrets at rest using AES encryption.

hashtag
πŸ”Ή Lab 6: Clean Up

hashtag
βœ… Wrap-Up

  • βœ… Created and inspected a Kubernetes Secret

  • βœ… Verified Secrets are only base64-encoded by default

  • βœ… Learned how to enable true encryption for Secrets at rest

PreviousAdvancedNextKubernetes Secrets Encrypted At Rest Labs

Last updated