External Secrets Operator (ESO)
Kubernetes operator that syncs secrets from external providers (Vault, AWS SM, GCP SM) into native K8s Secrets.
Overview
ESO is the standard Kubernetes bridge for external secrets. It watches ExternalSecret CRDs, fetches values from external providers (Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, etc.), and creates/updates native Kubernetes Secrets. It also supports PushSecret to push K8s secrets back to external providers.
Key Facts
| Attribute |
Detail |
| Website |
external-secrets.io |
| Stars |
~5k+ ⭐ |
| Latest Version |
v2.2.0 (March 20, 2026) |
| Language |
Go |
| License |
Apache 2.0 |
| Governance |
Community |
Evaluation
| Pros |
Cons |
| Multi-provider — Vault, AWS, GCP, Azure, etc. |
Sync lag (not real-time, poll-based) |
| PushSecret for bidirectional sync |
Secrets stored in K8s etcd (base64) |
| Generators for dynamic secret creation |
v1beta1 API deprecated |
| Templating for complex secret construction |
Only supports latest minor version |
| ClusterSecretStore for cross-namespace |
|
| Apache 2.0, active community |
|
Architecture
flowchart TB
subgraph K8s["Kubernetes Cluster"]
ES["ExternalSecret\n(CRD)"]
SS["SecretStore\n(provider config)"]
ESO_C["ESO Controller"]
Secret["K8s Secret\n(native)"]
end
subgraph External["External Providers"]
Vault_E["HashiCorp Vault"]
AWS_SM["AWS Secrets Manager"]
GCP_SM["GCP Secret Manager"]
AZ_KV["Azure Key Vault"]
end
ES --> ESO_C
SS --> ESO_C
ESO_C -->|"fetch"| External
ESO_C -->|"create/update"| Secret
Secret --> Pod_E["Pods\n(mount or envFrom)"]
style ESO_C fill:#1565c0,color:#fff
Core Resources
| Resource |
Scope |
Purpose |
| SecretStore |
Namespace |
Provider connection config |
| ClusterSecretStore |
Cluster-wide |
Shared provider config |
| ExternalSecret |
Namespace |
Defines which secrets to sync |
| ClusterExternalSecret |
Cluster-wide |
Cross-namespace secret sync |
| PushSecret |
Namespace |
Push K8s secrets → external provider |
Sources