Online / 5 & 6 February 2022


Trousseau - the Kubernetes Key Management Service provider

How to keep all your Kubernetes secrets safe the native way

By design, Kubernetes will store secrets encoded in base64 within its etcd resulting in an insecure solution.
While a couple commercial and open-source solutions exist to solve this problem, they all call for a separate set of tools, skills and limitations along with hardstop from CISO and Security Architect. Kubernetes put in place a KMS provider plugin framework and Trousseau leverages it to solve the secret management using standard Kubernetes API secret objects and constructs.

While there are significant efforts to improve Kubernetes component layers, the state of Secret Management is not receiving much interests. Using etcd to store API object definition & states, Kubernetes secrets are encoded in Base64 and shipped into the key value store database. Even if the filesystems on which etcd runs are encrypted, the secrets are still not.

Instead of leveraging the native Kubernetes way to manage secrets, commercial and open source solutions solve this design flaw by leveraging different approaches all using different toolsets or practices. This leads to training and maintaining niche skills and tools increasing cost and complexity of Kubernetes day 0, 1 and 2.

Once deployed, Trousseau will enable seamless secret management using the native Kubernetes API and kubectl CLI usage while leveraging an existing Key Management Service (KMS) provider. How? By using using the Kubernetes KMS provider framework to provide an envelop encryption scheme to encrypt secrets on the fly.


Photo of Romuald Vandepoel Romuald Vandepoel