“The secrets were readable to anyone with access to our etcd nodes.”
There’s no real timeframe for the observations in the article but etcd, secret encryption at rest has been about a while /tasks/administer-cluster/encrypt-data/ though sadly utterly useless in the context of EKS/AKS/GoogleK8 as it requires the extra flag setting on the api.
Did you consider https://github.com/banzaicloud/bank-vaults for handling vault or bitnami’s kubeseal for encrypting secrets in the cluster https://engineering.bitnami.com/articles/sealed-secrets.html ?
Good read; always interesting to see how someone else managed the “turtles all the way down” security domain.