Kubermatic SecureGuard: Automated secrets management for Kubernetes
Kubermatic introduces KubeSG: Open-source platform for automated secrets management in Kubernetes – based on OpenBao and ESO.
(Image: PopTika / Shutterstock.com)
As part of this year's KubeCon + CloudNativeCon Europe, the Hamburg-based company Kubermatic has introduced a new open-source-based platform designed to automate the management of sensitive credentials in Kubernetes environments. Kubermatic SecureGuard – KubeSG for short – is intended to provide security teams with a central control layer for automated management, rotation, and verification of API keys, database passwords, and AI tokens.
Compromised credentials are a common problem in cloud-native infrastructures, posing a serious challenge, especially for companies with rapidly growing Kubernetes and AI workloads. According to the IBM Cost of a Data Breach Report 2025, the global average cost per incident was around 4.44 million US dollars.
The CLC Conference, specializing in Developer Experience (DX) and Platform Engineering, will take place from November 11 to 12, 2026, in Mannheim. The Call for Proposals is seeking suggestions for workshops and talks until April 21 – primarily practical reports.
OpenBao as the Open-Source Foundation for KubeSG
This is precisely where the new product KubeSG is intended to step in, according to the announcement. Technically, Kubermatic builds on two open-source components: OpenBao as the secrets engine and the External Secrets Operator (ESO) for integration with Kubernetes. Their combination provides a self-hosted, Kubernetes-native layer for secrets management. Applications automatically receive only those credentials for which they are authorized – integrated as standard Kubernetes secrets objects, environment variables, or mounted files.
With its open-source approach, Kubermatic deliberately aims to position itself as a counter-model to proprietary solutions, ensuring that the security infrastructure is also fully transparent and verifiable. KubeSG is intended to give companies insight at all times into how their secrets are stored, accessed, and audited.
Videos by heise
Automation to Counter Operational Friction
Beyond the security aspect, Kubermatic also aims to address an operational problem with SecureGuard: in many organizations, manually managing credentials consumes significant resources. Ticket queues, self-written scripts, and forced service restarts during secret rotation slow down development speed, according to Kubermatic. KubeSG is intended to automate these steps, allowing development teams to focus on actual software deployment rather than maintaining credentials.
The platform also supports multi-tenancy with isolated secret stores. This allows large enterprises to limit the impact radius of potential security incidents by strictly separating environments and teams. For multi-cloud and hybrid infrastructures, SecureGuard offers a central governance layer to help meet compliance requirements.
Kubermatic Continues to Expand its Open-Source Portfolio
SecureGuard joins Kubermatic's open-source product portfolio, which includes the Kubernetes platform (KKP), Kubermatic Virtualization (KubeV) for container-VM convergence, a Developer Control Plane (KDP), Single-Node Kubernetes (KubeOne), and Multi-Tenant Load Balancing (KubeLB), among others.
(map)
