I was reading about Kubernetes Auth method, and I think it is great, but I have one question with this method you are effectively putting inside each pod the token (unencrypted) which means that if an attacker gets access to the pod, it can take the token, authenticate against vault and get all the secrets. So it seems that the Kubernetes Auth alone is not enough and you need to add some extra layer.
Am I right? Or I am missing something?
Thank you very much.