Security. K8s secrets present their data in the clear to anyone who can view it or list or watch secrets. Cloud secret managers provide a separate decrypt operation, along with builtin features like auditing and versioning.
> _for example_, be stored in ETCD differently (encrypted at rest for example).
Cloud provider k8s clusters are deployed with encryption at rest for ETCD now. If secrets were doubly encrypted at rest that wouldn't fix how their secret values are exposed in what should be just a metadata listing.
> From the point of view of the process running inside the container, there is absolutely no difference between a sensitive configuration value and a non-sensitive configuration value. When this value reaches your process it is in cleartext.
This model is desirable for convenience, but not for security. In order to securley handle a secret properly, the process needs to know that it is handling a secret. This can help to ensure secrets are not accidentally logged. For higher levels of security, it also helps to periodically refresh secrets so that they can be given as expiring tokens.
> _for example_, be stored in ETCD differently (encrypted at rest for example).
Cloud provider k8s clusters are deployed with encryption at rest for ETCD now. If secrets were doubly encrypted at rest that wouldn't fix how their secret values are exposed in what should be just a metadata listing.
> From the point of view of the process running inside the container, there is absolutely no difference between a sensitive configuration value and a non-sensitive configuration value. When this value reaches your process it is in cleartext.
This model is desirable for convenience, but not for security. In order to securley handle a secret properly, the process needs to know that it is handling a secret. This can help to ensure secrets are not accidentally logged. For higher levels of security, it also helps to periodically refresh secrets so that they can be given as expiring tokens.