How to make the kubernetes pods unable to decrypt the kubernetes secrets without a key?

Question

The end goal I'm trying to achieve is to create a kubernetes secret (potentially with a key) and a pod which uses that. But the catch is, the pod created should not be able to decode/decrypt the secret value without a particular key. I have tried the secrets with data encryption at rest but that's not sufficient for my requirement.

Answer 1

Edit: I am trying to making this as step by step solution. (as asked by @Dawid in comments)

1. Encrypt your data using your-key (your encryption-logic, probably, in a script).

./encrypt.sh --key your-key --data your-data

2. Create a secret of this encrypted data

kubectl create secret generic your-secret-name --from-literal=secretdata=your-encrypted-data 

3. You could add decryption logic like this in your pod ( either as a sidecar or initContainer)

# decrypt.sh will decode base64 then your decryption logic using your-key
./decrypt.sh --key your-key --data /var/my-secrets 

4. Also you need to mount this secret as volume to your container .

    spec:
      containers:
      - image: "image"
        name: app
        ...
        volumeMounts:
          - mountPath: "/var/my-secrets"
            name: my-secret
      volumes:
        - name: my-secret
          secret:
            secretName: your-secret-name