11.07.19

Managing Kubernetes Secrets Using Secrets OPerationS

By JP La Torre
Managing Kubernetes Secrets Using #MozillaSOPS

Kubernetes is incredibly popular largely thanks to its flexibility. It can also be deployed quickly thanks to its modularity. To maintain that modularity, however, you need to construct your cloud environment in a fluid and customizable way; that means making sure that ConfigMaps and Secrets are designed to be infrastructure agnostic.

Secrets, in particular, are easy to integrate with existing services. You can store sensitive configuration options—including tokens and user IDs—to keep the containers as easy to deploy as possible. In fact, a well-configured Secret allows for the containers to be deployed across multiple environments and clusters.

The only challenge to tackle in maintaining maximum flexibility is Secrets management. While Secrets are encoded using base64, you still don’t want to store sensitive information openly in Secrets. Base64 strings can still be decoded with minimum efforts, hence the need for better Secrets management. Fortunately, there are tools to help simplify the process of managing Secrets.

Secrets OPerationS as a Solution

Open-source tools such as Secrets OPerationS is considered the better options when it comes to managing Kubernetes Secrets. In the case of Mozilla Secrets OPerationS, the tool is not tied to a particular cloud platform, which means you can use it with Amazon KMS and Google KMS easily. SOPS is even designed to work with GPG or symmetric key, so you can use it to manage secrets on Git.

Encryption is another strong suit of the Mozilla SOPS. While it is not as complex as tools like BlackBox, Mozilla Secrets OPerationS work really well in encrypting the whole Secrets files. It also handles partial encryption really well. More importantly, you don’t have to jump through hoops to complete these tasks. You can even encrypt the values without encrypting keys when handling key-value-based files like JSON and YAML.

As mentioned before, Mozilla SOPS works really well with Amazon and Google Secrets management tools. It can get encryption keys from the cloud in a seamless way, plus it can be used to encrypt Secrets without a cloud-based key. A simple sops command is used in most operations; sops -d filename.yaml automatically decrypts the .yaml file.

Secrets OPerationS and Amazon KMS

Integration of Mozilla SOPS and Amazon KMS makes the tool even more powerful. You only need to use the extra parameter –kms to use the cloud encryption key provided by KMS. SOPS automatically encrypt the value of every key in the Secret file, all while keeping the keys intact. The result is a configuration file that can be stored alongside your code safely.

The configuration file can only be decrypted when access to your Amazon KMS is granted. The –decrypt command lets you tap into the encryption key just as seamlessly. Of course, you can push the Secret file to your cluster using the additional kubectl apply command and forcing the use of the Secret file. Helm-secrets also makes the process of decrypting and injecting secrets as Kubernetes secrets much easier.

Keep in mind that SOPS is now written in Go. The older version—developed using Python—is no longer in use, but you can access that version on GitHub if you still want to use it. Another thing to note about Mozilla SOPS is its lack of dependencies. Mozilla Secrets OPerationS can run independently and doesn’t depend on other tools or services to function.

We really cannot talk about the use of Mozilla SOPS with Amazon KMS without talking about the tool’s support for key policy and encryption context. Yes, you can add parameters such as roles, environment types, and other details to the encryption process. Rotating data key for maximum security is as easy as running the sops -r filename.yaml command.

Additional Features

From the features we’ve discussed so far, it is easy to see how Mozilla SOPS lets you manage Kubernetes Secrets easily. The tool also has additional features that will come in handy in an agile development cycle. My personal favorite is the built-in audit tool, which allows for events to be logged using forwarding to a database. The feature is a bit challenging to set up, but you will find this feature valuable once the /etc/sops/audit.yaml file is properly configured.

Support for $EDITOR is another extra feature offered by SOPS. As the string suggests, you can automatically decrypt a Secret file and open it using an editor you specify with one simple command. The decryption process is done on the fly without actually converting the file, so you can edit Secrets without the usual hassle of decrypting and re-encrypting files.

To complete the set, SOPS manage repositories and file permissions in great details. Access to one file does not necessarily mean access to the whole repo. The tool lets you be very meticulous in managing access to Secrets and encrypted configuration files on your repository.

Managing Kubernetes Secrets using Mozilla Secrets OPerationS is very easy. The features and commands offered by this tool enable better management and sharing of Secrets without the added security risks. While there are other tools designed to make managing Secrets simpler, Mozilla SOPS offers the right balance between advanced control and usability; it is definitely a tool to look into if you want to manage Secrets better.

For more on working with secrets, check out another in-depth guide here, Kubernetes Secrets Management.


Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.