Secret Rotation in Kubernetes Is a Deployment Problem
Over the last few weeks, while revisiting how secrets are handled in Kubernetes platforms, one pattern stood out clearly: secret rotation is often treated as an application concern. In practice, rotation stops at the infrastructure boundary. This distinction sounds subtle, but it has real operational consequences. The fundamentals are usually not the issue Most mature platforms already get the basics right: Secrets are externalized into a managed system (for example, AWS Secrets Manager) Workloads authenticate via identity (IRSA), not static credentials Kubernetes acts as a delivery plane GitOps governs declared intent and change history These choices answer an important question: who may access secrets. ...