Secrets are the cornerstones of Kubernetes’ security model; they are used both by Kubernetes itself (e.g., service accounts) and by users (e.g., API keys). In this talk, we will discuss users’ options for protecting secrets in Kubernetes. We’ll start with an overview of how secrets are protected and mounted by default in Kubernetes. Then, we’ll cover improvements that have been made in recent releases, including secrets encryption (1.7), and KMS plugins (1.10 Alpha), and how these work with external providers like cloud KMS plugins and HashiCorp Vault. We’ll discuss the tradeoffs of these options based on your requirements. Lastly, we’ll demo how to use a KMS plugin with Kubernetes, and discuss planned improvements to the secrets system in Kubernetes. You’ll leave with an understanding of your secret management options, and an idea of which one is best for your particular needs.