Kubernetes used to store secrets in etcd as plaintext by default. This meant that direct access to etcd was limited and carefully guarded. As of Kubernetes 1.7, you can now encrypt your secrets at rest (when they're stored by etcd).

Secrets are managed at the namespace level. Pods can mount secrets either as files via secret volumes or as environment variables. From a security standpoint, this means that any user or service that can create a pod in a namespace can have access to any secret managed for that namespace. If you want to limit access to a secret, put it in a namespace accessible to a limited set of users or services.

When a secret is mounted to a pod, it is never written to disk. It is stored in tmpfs. When the kubelet communicates with the API server it uses TLS normally, so the secret is protected in transit.