afaik the only part of kubernetes accessing etcd is the master. Nodes don't need and can't access etcd directly.
That still leaves the secret in plain view on the nodes that run the pod that needs the service. It would be great to be able to umount the secret when not needed anymore.
Correct, the etcd instance is only accessed by the master, which uses etcd to back the apiserver. But any root process on the nodes can access the secrets through the apiserver (there's no access control at this point).
