search
Go to websiteSupportStatusLoginSign up

Secrets Management

How Taloflow stores and delivers runtime secrets (and why we avoid env vars).

hashtag
Scope

This page covers how Taloflow handles application secrets in Kubernetes.

It focuses on how secrets are stored, scoped, and mounted at runtime.

hashtag
Approach

Taloflow delivers runtime secrets to workloads using Kubernetes Secrets mounted as files.

We avoid injecting secrets via environment variables.

hashtag
Kubernetes Secret volume security layers

When a secret is mounted as a volume, Kubernetes provides multiple layers of protection.

  1. tmpfs: Secret volumes are memory-backed by default. They are not written to node disk.

  2. readOnly: true: Pods can’t modify mounted secret files.

  3. defaultMode: 0400: Secret files are readable only by the owner (typically root).

  4. Namespace isolation: A Secret only exists in its namespace. Other namespaces can’t reference it.

  5. Encryption at rest (etcd): Kubernetes can encrypt Secrets at rest in etcd.

  6. No env var exposure: Secret files are not present in the process environment table.

circle-info

Security is defense-in-depth. The mount settings reduce accidental leakage. RBAC still governs who can read the Secret via the API.

hashtag
Why we avoid environment variables for secrets

Environment variables are easy to leak.

Common paths:

  • Included in debug output and crash dumps.

  • Visible in some process inspection workflows.

  • Accidentally echoed by startup scripts.

Mounting secrets as files reduces these risks.

hashtag
Validation notes (for audits and questionnaires)

If you’re validating Taloflow’s Kubernetes secret posture, typical checks include:

  • Secret volumes are mounted read-only.

  • Secret volume file mode is restricted (for example, 0400).

  • Workloads cannot access secrets outside their namespace.

  • Secrets are encrypted at rest in the cluster backing store (etcd).

PreviousEvaluation Data RetentionNextSecurity Operations

Last updated

Was this helpful?