Hi Damien, no worries. Thanks for watching.

Hi Shai, thanks for watching this video and taking time to comment. Yes you are right. The reason I was surprised is that when I was doing a test run of this video, it behaved differently. Thanks, Venkat

yes, env won't get updated, but volume can be updated dynamically

Yeah I realized that later. Thanks.

Hi, thanks for watching this video. I have done couple of videos on ingress topic. One based on Nginx ingress and the other on Traefik. Please find them in the below links. kzbin.info/www/bejne/mZnaoJmvfNdrZsU kzbin.info/www/bejne/d5Czm515gpaYgqM Thanks

Hi, thanks for watching this video.

Hi Jagan, thanks for watching. Here is my full kubernetes playlist kzbin.info/www/bejne/j6vEiqSujJWqfdU And here is a video about dynamic volume provisioning kzbin.info/www/bejne/eneWp2WGbaqBe8k

Hi Thamarai, you are welcome and thanks for your interest in this series.

Hi, Thanks for watching this video.

HI Gaurav, thanks for watching.

Hi Vivek, Thanks for watching. Yes, Vault is in my list. Will cover it at some point. Cheers.

Hi Joe, thanks for your interest in this channel. Cheers.

You are welcome and thanks for watching this video.

Hi Roman, thanks for watching.

Hi Laurent, Thanks for watching my video and thanks for bringing this to the table. Very valid point. By default Kubernetes secrets are all base64 encoded. And can be accessed and decoded by anyone having access to the cluster. Well you can fine tune acess control like creating a namespace and creating secrets in that namespace. Then restrict access to those who want it for that namespace. And in that namespace restrict access to properties like "watch", "get", "list" for the secret resource. But those add lot more complexities and still its not the best way. None of the nodes in the cluster will store the secrets in their local filesystem anywhere. When a pod requests a secret, it gets pulled from the etcd datastore and stored in tmpfs (temporary filesystem in memory) and get removed after the lifecycle of the pod. So basically the secrets are stored in plaintext in the etcd datastore. If you are not aware of etcd, its a datastore where Kubernetes cluster data is stored as key value pairs. If you have access to the etcd node, you can retrieve those secrets using etcdctl command I think. If you want to encrypt the secrets in etcd datastore you can follow below link, kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ Or you can use Key Management Service (KMS) for encrypting data in the etcd. AWS has KMS service. Still it doesn't solve the main issue you pointed out. For that I think Hashicorp's Vault service may give some security. But I haven't tried it yet. Basically you run this Vault service either within Kubernetes cluster or externally on a virtual machine or physical server. You can then use the Vault to store secrets. Thanks, Venkat

Thats what Kubernetes uses to store the secrets - base64 encoding and it is not supposed to substitute encryption. In fact, Kubernetes does not encrypt the secrets by default and they are stored unencrypted at rest. There is a separate object starting v1.7 called EncryptionConfig that can be used to encrypt secrets at rest (i.e. in etcd).

Yeah. I was covering the fundamental concepts in K8s. And vault is in my to do list. Thanks for reminding me.

@@justmeandopensource when do you plan to record it? I know now you are focusing on MongoDB tutorials.

@@waterkingdom9839 MongoDB is a separate series. My commitment is to release a video every Monday for Kubernetes and one for MongoDB. I have another 4 for k8s waiting to be released in the coming Mondays. Even if I record now, it will be released after 5 weeks. Thanks.

@@justmeandopensource OK...looking forward to your new videos.

@@waterkingdom9839 Thanks.

Thanks for watching Abhishek.

Hi Bala, thanks for watching this video. Yes in Kubernetes if you secrets, they are not really secrets unless you protect your repository and use it in a namespace where you restrict users. Otherwise you can use Hashicorp's Vault for managing secrets externally. There is a good blog post about it which you can check in the below link. blog.kubernauts.io/managing-secrets-in-kubernetes-with-vault-by-hashicorp-f0db45cc208a Thanks.

@@justmeandopensource Thanks, Venkat. Really appreciate your help.

@@balasekharnelli9218 No worries. You are welcome.

Thanks. I will add it to my list.

Hi Rahul, thanks for watching. I will add it to my list. Cheers.

I am stuck at this.. There is scarce info about it.. There is only tls.crt and tls.key What if I have only signed ca.crt from the CA directly?

Hi Faisal, thanks for watching. Have you checked what if you skip that line? Basically I want the busybox container to run for some time before exiting as I want to test the secrets mounted. If you skip that line, the pod will error/crashloopbackoff. Just try it and see it for yourself. Cheers.

Thanks for the clarification. I understand its not encryption but encoding.

Hello

@@justmeandopensource I need some help for how to pass kubernets secret value into deployment yaml, can you please help me out please