I’m using HashiCorp Vault (external server) to manage secrets for my Kubernetes workloads. I’ve run into a dilemma: if I keep my Vault server in an unsealed state, it ensures my kubertnetes workloads can access secrets during restarts, but it also increases the risk of unauthorized access. Conversely, sealing the Vault enhances security but can disrupt my workloads when they restart.
What are the best practices for managing this balance? How can I ensure my workloads remain operational without compromising the security of my secrets? Any insights or strategies would be greatly appreciated!