[notwedtm]

I think K8S secrets get a bad wrap. They are not intended to be secret in the sense that they are "kept from prying eyes by default". The secret object is simply a first-class citizen that differentiates it from a ConfigMap in a way that allows distinct ACL's.

Most organizations I know will still use something like ExternalSecret for source control and then populate the Secret with the values once in cluster and to an object with very few access points.

[gscho]

I think calling it a secret when it isn’t gave it a bad wrap. The last time I looked at the documentation it didn’t even clearly describe that it is not a secure object (that may have changed recently). Why call it a secret when it is not even close to one? I guess thing-to-store-secrets-if-you-use-rbac was too long.

[Nullabillity]

If you don't use RBAC (or some other ACL mechanism) then it's already game over, everyone with access to your cluster already has full root access.

[threeseed]

But it can be a secret. You can store Base64-encoded, encrypted data.

And you can encode it for example using an external KMS.

[gscho]

Yes I understand that. My point is until you configure it in that way it is not “secret” and the name of the object is a bit misleading, especially when first learning k8s.

[rdtsc]

Is that built-in though? Because if it isn’t then it is a bit silly to call it a secret.

[jhugo]

I think you're looking for "bad rap" (as in "rap sheet"). A bad wrap is an unappetising tortilla.

[morelisp]

If it's only base64 and not encrypted, that also seems like a bad wrap.

[kitsune_cw]

I've always seen it written as "bad rep" as in reputation.

[dharmab]

Bad rap is the older form: https://www.merriam-webster.com/words-at-play/usage-bad-rap-...