Vault: Kubernetes

Created on 31 Mar 2017 · 3Comments · Source: hashicorp/vault

Can anyone please provide a brief comparison between Vault vs kubernetes to store secrets?

Vault --> Genric solution to store any secret
Kubernetes --> Specific to containerized applications

Thanks

Source

Wonder007

Most helpful comment

In addition to useful features, at my last check, Kubernetes Secrets weren't actually encrypted at rest nor was access terribly restricted by default (All Kubelets + the Dashboard could automatically access all secrets). That may have changed and there may be ways to lock it down further.

On the flip side, Kube Secrets are considerably easier to use (no special init containers or separate system to interact with; secrets just show up automatically as a ramdisk mount).

michaelansel on 15 Apr 2017

👍3

All 3 comments

Vault allows you to dynamically issue secrets for supported backends, and store secrets. Kubernetes only allows you to store secrets.

For example, you can dynamically issue TLS certificates if you configure a PKI Secrets Backend in vault:
https://www.vaultproject.io/docs/secrets/pki/

There are projects that allow you to automatically get a Vault Token (which can be exchanged for secrets) from Kubernetes pods dynamically:
provides a nice description of the approach:
https://github.com/kelseyhightower/vault-controller
a slightly more production ready version:
https://github.com/Boostport/kubernetes-vault

mwitkow on 31 Mar 2017

👍1

On the flip side, Kube Secrets are considerably easier to use (no special init containers or separate system to interact with; secrets just show up automatically as a ramdisk mount).

michaelansel on 15 Apr 2017

👍3

That's simply describing "things you get by owning the orchestration layer" :-)

Vault + Nomad gives you the same nice semantics too.