Scientific and practical cyber security journal | ISSN 2587-4667

A SYSTEMATIC METHODOLOGY FOR THE EVALUATION AND SELECTION OF SECRETS MANAGEMENT SYSTEMS IN KUBERNETES

Authors: Yurii Kulyk, Yuriy Lakh
Affiliation: Lviv Polytechnic National University

Category:

Cryptography, Information security
Keywords: Kubernetes; secrets management; External Secrets Operator; Vault; Sealed Secrets; SOPS; CSI driver; GitOps; audit logging; multi-criteria decision analysis
ABSTRACT. Selecting a secrets management system for Kubernetes is not a task for beginners, it requires careful consideration of the trade-offs among security controls, operational burden, compliance evidence, performance, and total cost. Kubernetes itself has a native “Secret” object, but unfortunately, the official documentation cautions that “Secrets” are unencrypted by default in the backing store, and that authorisation to create workloads can indirectly expose “Secrets”. Such circumstances motivate stronger controls and, in many environments, the use of the external secret stores. Also, recent research reinforces the finding that “secrets in the platform” are frequent targets of attacks. The studies show widespread Kubernetes misconfigurations, such as hard-coded credentials in manifests, and privilege escalation paths via excessive permissions in cluster add-ons. Both of them can significantly widen the secret-exposure blast radius. Therefore, the goal of this article is to contribute a repeatable methodology for evaluating secrets management systems based on multi-criteria decision analysis. Starting with the definition of an environment profile, moving on to translation of security / operational / compliance / cost objectives into measurable criteria with a 0-5 scoring rubric, eliciting weights (simple ones or analytic hierarchy process), building a decision matrix, and running sensitivity analysis to see how the recommendation changes when priorities shift. The methodology is tested on a baseline set of Kubernetes secret management approaches: hardened Kubernetes Secrets; Sealed Secrets and SOPS (GitOps approaches); External Secrets Operator; Vault; and one commercial operator.
 Read full paper

References:

Bitnami. 2026. “Sealed Secrets”. Accessed February 10, 2026. https://github.com/bitnami-labs/sealed-secrets
CNCF. 2026. “SOPS: Secrets OPerationS”. Accessed February 18, 2026. https://getsops.io/docs
Hashicorp. 2026. “Vault Agent Injector”. Accessed March 2, 2026. https://developer.hashicorp.com/vault/docs/deploy/kubernetes/injector
IEEE Conference Publication | IEEE Xplore. “KubeKeeper: Protecting Kubernetes Secrets Against Excessive Permissions,” June 30, 2025. https://doi.org/10.1109/EuroSP63326.2025.00027
The Linux Foundation. June 22, 2025. “ExternalSecret - External Secrets Operator”. Accessed February 25, 2026. https://external-secrets.io/latest/api/externalsecret
The Linux Foundation. June 22, 2025. “Good practices for Kubernetes Secrets”. https://kubernetes.io/docs/concepts/security/secrets-good-practices
The Linux Foundation. November 20, 2024. “Kubernetes Secrets”. https://kubernetes.io/docs/concepts/configuration/secret
Meli, Michael, Matthew R. McNiece, and Bradley Reaves. “How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories.” Network and Distributed System Security Symposium (NDSS), 2019. https://doi.org/10.14722/ndss.2019.23418
1Password. 2026. “Kubernetes Operator”. Accessed March 5, 2026. https://developer.1password.com/docs/k8s/operator
Rahman, Akond, Shazibul Islam Shamim, Dibyendu Brinto Bose, and Rahul Pandita. “Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study.” ACM Transactions on Software Engineering and Methodology 32, no. 4 (2023): 1-36. https://doi.org/10.1145/3579639
Saaty, Thomas L. “Decision Making With the Analytic Hierarchy Process.” International Journal of Services Sciences 1, no. 1 (2008): 83-98. https://doi.org/10.1504/ijssci.2008.017590
Souppaya, Murugiah, John Morello, Karen Scarfone, U.S. Department of Commerce, and National Institute of Standards and Technology. “NIST Special Publication 800-190 Application Container Security Guide.” Report. NIST Special Publication 800-190, September 2017. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
Yang, Nanzi, Wenbo Shen, Jinku Li, Xunqi Liu, Xin Guo, and Jianfeng Ma. “Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party Applications.” CCS ’23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, November 15, 2023, 3048-3062. https://doi.org/10.1145/3576915.3623121