Blog
Thoughts on engineering, design, and building great products.
Secrets, the Detour and Hardening
Part XI closes out at Secrets and the holes still left. We read etcd directly to confirm Secrets are encrypted at-rest since Article 5, then build a real detour: a ServiceAccount with no permission to read a Secret still extracts its value by creating a pod that mounts that Secret and reading the log. The article ends with a table of hardening steps for a self-built cluster — which are done in the series, which are still missing.
ConfigMap and Secret
Don't bake configuration into the image — pull it into a ConfigMap for ordinary data, a Secret for sensitive data, then inject it via environment variables or files. This article opens Part VI with both: four ways to consume them, one key difference (files auto-update on edit, env doesn't), and the harsh truth that a Secret is only base64, not encrypted — unless you turn it on, which our cluster did in Article 5. Tested for real, dug into etcd.
ConfigMap and Secret: Separating Configuration from the Image
The same image must run in dev, staging, production — meaning configuration cannot be baked into the image. ConfigMap holds ordinary configuration, Secret holds sensitive data. This article: creating and injecting them into a pod via environment variables and files, with an important warning about 'a Secret is just base64'.