You're correct that Kubernetes 1.3 introduced a "secrets" API resource, but it was backed by a naive implementation which did not encrypt secrets at rest. This made it impractical for production.
Encryption at rest was introduced in Kubernetes 1.7, making it usable in production. This was done in collaboration with the Docker security team, which had previously implemented encryption at rest in Swarm.