https://falcao.org/tags/external-secrets/Recent content in External-Secrets on Danilo Falcão da SilvaHugoen-usWed, 20 May 2026 22:25:00 -0300https://falcao.org/posts/kubernetes-secrets-aws-azure-gcp-onprem/Wed, 20 May 2026 22:25:00 -0300https://falcao.org/posts/kubernetes-secrets-aws-azure-gcp-onprem/<p>The Kubernetes <code>Secret</code> object is a YAML manifest with a base64-encoded value in it. That&rsquo;s the entire encryption story. Anyone with <code>get</code> permission on the namespace can read every credential the workload holds. <strong>Base64 is not encryption.</strong> It is barely obfuscation.</p> <p>Teams discover this the wrong way — usually during a security review, occasionally during an incident — and the next question is always the same: <em>so where do the real secrets live?</em></p>