[gscho]

I think calling it a secret when it isn’t gave it a bad wrap. The last time I looked at the documentation it didn’t even clearly describe that it is not a secure object (that may have changed recently). Why call it a secret when it is not even close to one? I guess thing-to-store-secrets-if-you-use-rbac was too long.

[Nullabillity]

If you don't use RBAC (or some other ACL mechanism) then it's already game over, everyone with access to your cluster already has full root access.

[threeseed]

But it can be a secret. You can store Base64-encoded, encrypted data.

And you can encode it for example using an external KMS.

[gscho]

Yes I understand that. My point is until you configure it in that way it is not “secret” and the name of the object is a bit misleading, especially when first learning k8s.

[rdtsc]

Is that built-in though? Because if it isn’t then it is a bit silly to call it a secret.