K8s External Secrets

Developed by godaddy and given back to the community, External Secrets fill the gap between K8s secrets and secure credential storage.

Externals secrets are defined as K8s resources like this:

apiVersion: ''
kind: ExternalSecret
  name: dockerconfigjson
  namespace: someorg
  backendType: secretsManager
    - /someorg/dockerconfig_secret

In this case we have contacted AWS Secrets Manager to get the someorg/dockerconfig_secret secret. K8s namespace limit access to resources in the same namespace.

External secrets works by contacting a credential provider selected by backendType, eg AWS Secrets Manager and then creates a regular K8s secret if it can retrieve the value.

This gives transparent access to secrets from K8s while leaving the credential store as the point-of-truth for the secret value.

Post comment