Starting: 1st of Every Month 
+91 8409492687 
Contact@DevOpsSchool.com
The main difference between a ClusterSecretStore and a SecretStore is that a ClusterSecretStore is a cluster-wide SecretStore that can be referenced from all namespaces, while a SecretStore is a namespaced SecretStore that can only be referenced from a single namespace.
Another difference is that a ClusterSecretStore can be used to store secrets that are shared across multiple namespaces, such as a database password or an API key. A SecretStore can only be used to store secrets that are specific to a single namespace, such as a database password for a specific application.
Here is a table that summarizes the key differences between ClusterSecretStores and SecretStores:
| Feature | ClusterSecretStore | SecretStore |
|---|---|---|
| Scope | Cluster-wide | Namespaced |
| Use cases | Shared secrets across multiple namespaces | Namespace-specific secrets |
Here are some examples of when you might use a ClusterSecretStore:
- To store a database password that is shared across all of your applications.
- To store an API key that is used by multiple applications.
- To store a certificate that is used by multiple applications.
Here are some examples of when you might use a SecretStore:
- To store a database password for a specific application.
- To store an API key for a specific application.
- To store a certificate for a specific application.
SecretStore:
SecretStoreis namespace-scoped. This means aSecretStoreresource is created within a specific namespace and can only be referenced byExternalSecretresources within the same namespace.- This allows for more fine-grained access control and isolation between different namespaces, making it suitable for multi-tenant environments where different teams or applications have their isolated namespaces.
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: my-secret-store
namespace: my-namespace
spec:
provider:
aws:
service: SecretsManager
ClusterSecretStore:
ClusterSecretStore, on the other hand, is cluster-scoped. This means it is not confined to a specific namespace and can be referenced byExternalSecretresources across all namespaces in the cluster.- It is suitable for secrets that are shared and needed by applications residing in different namespaces across the cluster.
apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
name: my-cluster-secret-store
spec:
provider:
aws:
service: SecretsManager
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
