Why Kubernetes Image Pull Secrets Leak In Plain Sight
DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations · 2026-06-07 · 8 min
Episode notes
This episode of DevOps Daily with Fexingo dives into a common but overlooked security gap: how Kubernetes image pull secrets can be accidentally exposed through base image inheritance and registry mirror configurations. Lucas walks through a real-world case where a team at a mid-sized fintech left their private registry credentials embedded in a public Docker layer, allowing anyone who pulled the image to extract them via a simple `docker history` command. Luna challenges whether the default Kubernetes workflow encourages this carelessness, and they discuss practical mitigations like using image pull secrets only via kubelet node-level configuration, rotating credentials on a schedule, and scanning for secret leakage during CI/CD. The conversation also touches on how OPA Gatekeeper policies can catch these misconfigurations at admission time. No fear-mongering, just concrete steps to tighten one of the easiest-to-exploit gaps in your cluster.