Comparison · Kubernetes secrets · Verified July 2026

Workload Secrets vs the secrets stack

Vault, OpenBao, ESO, Sealed Secrets, SOPS, cloud secret managers — useful tools for storing, syncing, mounting, or rotating secrets. The practical question is where usable plaintext appears after delivery. ASTIS adds a workload-bound decrypt boundary around that moment. Keep your stack. Add the boundary.

TL;DR. Kubernetes KMS is real protection for etcd-at-rest, and Vault/OpenBao can be the right authority for dynamic secrets. But most Kubernetes delivery patterns still end with usable plaintext in a Kubernetes Secret, pod file, environment variable, or provider mount. ASTIS Workload Secrets changes that last step: stored and routed values stay ciphertext, and plaintext exists only in the RAM of a live pod that passed workload-bound checks — including a sha256 allowlist over every running image, injected debug containers included.

In their own words

Not our claims — their documentation.

“Kubernetes Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd.”

Kubernetes documentation

“All data encryption keys (DEKs) will be cached in the clear once the server has unwrapped them via a call to the KMS.”

Kubernetes KMS v2 documentation

“Containers are not a security boundary, and the use of IAM roles for service accounts does not change this.”

AWS EKS documentation (IRSA)

Vault’s injector renders secrets as plaintext files into a shared volume at /vault/secrets — the docs’ own example shows a readable Postgres connection string.

HashiCorp Vault documentation

The plaintext boundary test

Each row asks where an operator, workload, pipeline, or agent can reach usable plaintext. Hover a mark for the deployment nuance.

ASTIS Workload Secretsk8s Secrets (+KMS)Vault / OpenBaoESO · Sealed · SOPSCloud SM + CSI
Does the secret reach Kubernetes already encrypted?
If etcd or its backup leaks, are secret values still encrypted?
Does kubectl get secret return ciphertext instead of the usable secret?
If someone can read all Kubernetes objects, do secret values stay unreadable?
Can GitOps and CI/CD stay ciphertext-only all the way into Kubernetes?
Does the workload avoid plaintext secret files and environment variables?
Does decrypt require more than Kubernetes RBAC or a copied ServiceAccount token?
Can an AI agent get broad cluster-read access without becoming a secret reader?
Does decryption require an explicit workload-bound authorization step?

✓ = yes by design · ✗ = no in the normal pattern · — = depends on deployment pattern or extra controls. Simplified on purpose; every nuance carries a tooltip and a source below.

Two different jobs

Our layer: decide who can open them

Secrets stay sealed everywhere they rest. Decryption happens in the pod’s RAM only after four independent checks pass: a bound API key (cluster + namespace + ServiceAccount), the pod’s own SA JWT verified against your pinned JWKS, a RAM-only DPoP key pinned to the live Pod UID, and a sha256 allowlist over every running image — sidecars and injected debug containers included. Fail-closed.

Infrastructure access stops implying secret access — for admins, backups, pipelines, and AI agents alike.

Their layer: get secrets to workloads

Central storage, dynamic database credentials, leases, rotation, git-safe encryption, multi-cloud sync. Real jobs, done well — keep the tools that do them.

In Kubernetes delivery patterns, success usually means handing plaintext to the workload — through a file, an env var, a provider mount, or a k8s Secret.

The 2026 row: your AI DevOps agent

Agents now hold kubectl access, read manifests, tail logs, and run pipelines. In common Kubernetes secret patterns, that access can become secret access through normal Secret reads, pod exec, synced Secrets, or plaintext files in pod filesystems. With ASTIS it reads what everyone else reads — sealed values. It can operate your cluster all day and never hold a decryptable secret, because cluster-read access is not decrypt capability.

When you should NOT buy this

Your threat model ends at RBAC. If you trust everyone with cluster access, your backup chain, and your pipelines — native Secrets with KMS encryption at rest, or ESO over a cloud store, is a reasonable free answer.

You need leased, per-instance dynamic credentials. Minting short-lived DB accounts on demand and auto-revoking them is Vault/OpenBao’s home turf — ASTIS does not replace that machinery. (Scheduled rotation is different: generate → seal with astis-cli → roll; each envelope rotates independently.)

Budget is zero. ASTIS starts at $18k/year. The OSS stack is free plus operations — an honest trade if the boundary above is not your requirement yet.

FAQ

Is ASTIS Workload Secrets a Vault replacement?

No. Leased dynamic database credentials and transit encryption — that is Vault/OpenBao’s job, and if you rely on those, keep them. (Scheduled rotation of static secrets, though, is a plain pipeline with ASTIS: generate, seal with astis-cli, roll — each envelope rotates independently.) ASTIS adds the layer none of the distribution tools have: a cryptographic boundary that decides which attested workload can turn a sealed blob into plaintext, in RAM, at use time.

Does anyone in this stack verify the container image before releasing a secret?

In the documented k8s integration paths we reviewed — no. Vault, OpenBao and Infisical bind trust to ServiceAccount + namespace (TokenReview); ESO, Sealed Secrets and SOPS end in regular k8s Secrets gated by RBAC; cloud workload-identity binds IAM to the ServiceAccount. ASTIS checks the live Pod UID and requires every running image — app, init, sidecar, injected debug container — to match a sha256 allowlist, fail-closed.

When is the free stack enough?

If your threat model ends at RBAC — you trust everyone with cluster access, your backups, and every pipeline — then k8s Secrets with KMS encryption at rest, or ESO over a cloud store, is a reasonable, free answer. ASTIS is for the moment “infrastructure access” and “secret access” must stop meaning the same thing: admins, backups, vendors, and AI agents can operate the cluster without being able to open the secrets.

What about high availability — what if the ASTIS edge is unreachable?

Workloads talk to ASTIS at unseal time, not continuously. A pod that has already opened its secrets holds them in its own RAM and keeps running through an edge outage. New unseals — fresh pods, restarts, rescheduling — are fail-closed by design: a pod does not start with secrets it cannot verify, and comes up once the edge is reachable again. The edge is covered by the plan SLA (99.9% on Workload Business and above); with HYOK CVS on Enterprise, the key authority runs inside your perimeter, so unseal-path availability is under your control.

What does it cost?

Workload Team is $18,000/year, self-serve via the portal; Workload Business is $60,000/year, and Enterprise starts at $120k. ASTIS prices the boundary — no metered per-secret or per-identity charges. Tiers are sized in bands of workload identities across all environments, so the bill steps by tier, not by every new secret or pod. Upgrades are pro-rated by month, the minimum billing unit: move up mid-term and the remaining full months of what you already paid are credited toward the new plan.

Keep your stack. Add the boundary.

Run the quickstart on a real cluster and watch an unapproved image get refused — the proof is the point.