skip to Main Content

Imagine a complex deployment with many dependencies that needs to connect to lots of things, and where the secrets is only used this current namespace with this one complex deployment.

Would you recommend having many secrets:

  • certificates.yaml
  • redis-password.yaml
  • gcp-credentials.yaml
  • etc….

Or one secret for the deployment with lots of keys:

apiVersion: v1
kind: Secret
metadata:
  name: all-the-secrets
data:
  redis-password: asdfa
  certificate-key: asdfadf
  certificatee-crt: adfadf
  ...

The secrets will be used as environment variables:

name: redis-password
valueFrom:
  secretKeyRef:
    name: secret-name
    key: key-name

And why is one better than the other?

Ps. They will all be encrypted with kubeseal

3

Answers


  1. There is no difference for your pod whether its many secrets or one. Whenever there’s a change your pod needs to know about it. The suggestion is if your files are independent then keep them separate to avoid changing the same secret again even if there’s a change in one single file. This will only help you in managing your secrets. This will also help if you want to have different RBAC for different secrets.
    If you are not planning to change them, then one secret is also fine.

    Login or Signup to reply.
  2. You should only expose sensitive data to pods that use that data. Many smaller secrets have a tradeoff for managing many different objects but they have an important advantage – Isolation and separation of concerns.

    If you check the docs, the secrets are sent only to nodes where the pod needs it. That being said, having 1 secret with all of your sensitive data kinda defeats the purpose as it will be deployed on possibly all nodes and be have all data exposed to all pods, even the data that a particular pod doesn’t use will be visible.

    Login or Signup to reply.
  3. For a complex deployment that needs many secrets, check cert-manager on kubernetes. Cert-manager creates and manages per-app certificates, keys and secrets for multiple applications and these secrets can be mounted inside pods.

    Cert-manager also ties into a variety of sources such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. More info is in:

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search