Does the Secret Store CSI Driver block kubectl get secret + base64 decode access to secret values?

While learning about Secrets, I came across the EncryptionConfiguration feature and also learned about the Secret Store CSI Driver. From what I understand, EncryptionConfiguration helps prevent a “bottom-up” threat (someone gaining direct access to etcd), while the Secret Store CSI Driver helps prevent a “top-down” threat (someone gaining access through the pod/API layer).

My question is: does using the Secret Store CSI Driver actually make secrets more secure? Normally, we can just run kubectl get secret <secret-name> -o yaml and decode the value with base64 to view it. Does using the Secret Store CSI Driver prevent us from retrieving secrets this way?

Indeed it does – it uses a service like Hashcorp Vault (which service is configurable) and injects the secret into the pod. This is not what the default secret handler does, which is indeed not particularly secure, since base64 is easily reversible. See the CSI’s docs for more info.