security

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. AppRole is a machine-oriented auth method. Unlike Kubernetes Auth (which requires Vault to call the K8s TokenReview API), AppRole uses a RoleID + SecretID pair — making it ideal when Vault cannot reach the Kubernetes API server. When to Use AppRole Over Kubernetes Auth Scenario Use AppRole? Vault is external and cannot reach K8s API ✅ Yes CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions) ✅ Yes Batch jobs or CronJobs needing Vault access ✅ Consider Cross-cloud authentication ✅ Yes Vault is in-cluster or can reach K8s API ❌ Use K8s Auth How AppRole Works ┌────────────────────────────────────────────────────────────┐ │ │ │ ┌────────────┐ ┌──────────────────┐ │ │ │ App Pod │ 1....

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Kubernetes Auth Method is the recommended way for pods to authenticate with Vault. It uses native Kubernetes Service Account tokens (JWTs), eliminating the need to distribute or rotate static credentials. But before jumping into commands, let’s understand what each component is, why it exists, and how they work together....

Managing secrets in Kubernetes is one of those challenges that every platform team eventually faces. Base64-encoded Kubernetes Secrets stored in etcd are not encryption — they’re encoding. If you’re running anything beyond a hobby cluster, you need a proper secrets management solution. This guide is your one-stop reference for HashiCorp Vault + Kubernetes. It covers the architecture, compares every integration method, and links to detailed implementation guides for each approach....

If you work anywhere near open-source infrastructure, CI/CD pipelines, or cloud-native tooling, you need to know about the Mini Shai-Hulud worm. Named after the colossal sandworms of Frank Herbert’s Dune, this self-propagating malware—deployed by the threat actor group TeamPCP—burrowed through the npm and PyPI ecosystems in May 2026, compromising hundreds of packages and turning trusted developer tooling into a weapon. This is not a theoretical supply chain risk. This is one of the most sophisticated attacks the open-source ecosystem has ever faced....