How to Secure Kubernetes Secrets with Bitnami Sealed Secrets

Nowadays most applications handle sensitive information such as database credentials or API keys, and storing them directly in code poses serious security risks.

If your application runs in containers on Kubernetes, you can use the native Secret resource, which stores data base64‑encoded and can be injected as environment variables or mounted as volumes.

To keep secrets safe, the Secret object should be encrypted and access controlled with Kubernetes RBAC; on AWS you can further encrypt static data with AWS KMS.

Kubernetes manifests are usually version‑controlled, but committing raw or base64‑encoded secrets to a Git repository is unsafe. You need a secure place to store secrets outside the cluster.

Option 1: Encrypt plaintext secrets before committing to Git

Encrypt the plaintext with symmetric or asymmetric algorithms.

Create a custom Secret CRD that holds the encrypted data.

Develop a custom controller that reads the encrypted data, decrypts it at runtime, and creates a native Secret.

This lets you commit encrypted data to Git, but you still need to protect the private key. Bitnami Sealed Secrets can manage the key lifecycle.

Option 2: Use third‑party secret stores

Store secrets in services such as AWS Secrets Manager or HashiCorp Vault.

Write a custom controller that fetches secrets from those services and creates Kubernetes Secrets at runtime.

The External Secrets project implements this approach.

Quick overview of Sealed Secrets

Sealed Secrets encrypt a Kubernetes Secret into a SealedSecret object that can be safely stored in a public repository. Only the controller running in the target cluster can decrypt it.

A Sealed Secret consists of a server‑side controller and a client tool kubeseal. The client uses asymmetric encryption; the controller holds the private key.

Steps to use Sealed Secrets

1. Install kubeseal:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.15.0/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

2. Install the controller in the cluster:

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.15.0/controller.yaml

3. Verify the controller pod is running:

kubectl get pods -n kube-system -l name=sealed-secrets-controller

4. Create a regular Secret manifest (e.g., secrets.yaml) and seal it:

apiVersion: v1
data:
  DB_PWD: cGFzc3dvcmQ=   # base64
  DB_USER: cm9vdA==
kind: Secret
metadata:
  name: db-secrets

kubeseal --format=yaml < secret.yaml > sealed-secret.yaml

5. Apply the sealed secret to the cluster: kubectl apply -f sealed-secret.yaml The controller will decrypt the sealed secret and create the corresponding Kubernetes Secret, which can then be used as environment variables or volume mounts. The sealed‑secret YAML can be safely committed to Git because its data is encrypted.

By following these steps you can keep Kubernetes secrets confidential while still benefiting from Git‑based workflows.