Secrets, the Detour and Hardening
DevOpsSecurity

Secrets, the Detour and Hardening

Part XI closes out at Secrets and the holes still left. We read etcd directly to confirm Secrets are encrypted at-rest since Article 5, then build a real detour: a ServiceAccount with no permission to read a Secret still extracts its value by creating a pod that mounts that Secret and reading the log. The article ends with a table of hardening steps for a self-built cluster — which are done in the series, which are still missing.

K
KaiMay 24, 2026· 21 views
ConfigMap and Secret
DevOpsConfigMap

ConfigMap and Secret

Don't bake configuration into the image — pull it into a ConfigMap for ordinary data, a Secret for sensitive data, then inject it via environment variables or files. This article opens Part VI with both: four ways to consume them, one key difference (files auto-update on edit, env doesn't), and the harsh truth that a Secret is only base64, not encrypted — unless you turn it on, which our cluster did in Article 5. Tested for real, dug into etcd.

K
KaiMay 24, 2026· 17 views
ConfigMap and Secret: Separating Configu...
DevOpsConfigMap

ConfigMap and Secret: Separating Configuration from the Image

The same image must run in dev, staging, production — meaning configuration cannot be baked into the image. ConfigMap holds ordinary configuration, Secret holds sensitive data. This article: creating and injecting them into a pod via environment variables and files, with an important warning about 'a Secret is just base64'.

K
KaiMay 23, 2026· 48 views