Kubernetes Secrets vs. Azure Key Vault

Here is an opinionated comparison that I created. Hope it can help you make the decision when you have to choose one.

Kubernetes SecretsAzure Key Vault
How secrets are storedStored in Etcd with base64 encoded. (In AKS, Etcd is managed by Microsoft and is encrypted at rest within Azure platform.)Encrypted at rest, and Azure Key Vault is designed so that Microsoft does not see or extract your data.
Who can access the secretsBy default,
– People who can access the API server. 
– People who can create a pod and mount the secrets. 
– For AKS, people who can manage the AKS cluster in Azure Portal.
– People who can connect to the Etcd directly. (In AKS context, this would be Microsoft.)

To limit the access, Kubernetes RBAC rules need to be carefully designed and maintained.

Use tools such as Sealed Secrets to encrypt the secrets in Etcd if you don’t want Microsoft to see your secrets.
In terms of using Secret Store CSI driver for Azure Key Vault:

– People who can create a pod and mount the CSI volume.

Proper Kubernetes RBAC settings on namespaces could help to limit the access.
Who can create, change or delete secretsSimilar to the above. Kubernetes RBAC rules are needed to limit who can create, change or delete secrets.Secrets cannot be modified via Secret Store CSI driver. The secret management needs to be done via Azure Portal, CLI or APIs. The access is controlled by Azure RBAC.
Rotate or revokeManually done via Kubernetes APIAzure Key Vault provider for Secret Store CSI driver supports auto rotation of secrets.
Auditing, monitoring and alertingKubernetes AuditingAzure Monitor, Event Grid notifications, and automation with Azure Functions/Logic Apps etc.
Kubernetes Secrets vs. Azure Key Vault