Secure Kubernetes Secrets with KubeSeal: Install and Use Guide

Installation

Install KubeSeal

$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
$ tar -xvf kubeseal-0.18.0-linux-amd64.tar.gz
$ cp kubeseal /usr/local/bin/
$ kubeseal --version

Install controller

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml

After running the commands, a controller pod is started in the kube-system namespace:

$ k get pod -n kube-system | grep seal
sealed-secrets-controller-b9fb75d85-k4csm    1/1    Running    0    7h28m

Port‑forward the controller service to the local machine:

$ kubectl -n kube-system port-forward svc/sealed-secrets-controller 8080:8080

Usage

Generate an encrypted file

Create a file secret-example.yaml with the following content (the secret field is base64‑encoded mysupersecret):

apiVersion: v1
kind: Secret
metadata:
  name: secret-example
data:
  secret: bXlzdXBlcnNlY3JldAo=

Encrypt it with KubeSeal:

$ kubeseal --secret-file secret-example.yaml --sealed-secret-file sealed-secret-example.yaml

The resulting sealed-secret-example.yaml contains an encrypted spec.encryptedData.secret field:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: secret-example
  namespace: kube-system
spec:
  encryptedData:
    secret: AgB1ZZg8+J+0HLymOQZdTfWVQZiNkhm5X6WULJuBAAEaQQNhM8i2TV2I1SgKT4sUOCRv90XA1oeFld3XoGPjvYE3leOD1cvK1dDVqno6mNLRziokISk/9fB3cVE2GVgyCud//M53xNpVemDufgsJS2q/KGIOeNEijk9ZM2FaKoLDwtPaVNL0NfmC2xne2XtWJp+/eMOREhbubQhnj5M/Se75axazviuDNf6Ss9fAuR38Msd5DXnKBtyrckEHSa8TDn8ErssOh0ogX14e0/ThN3EWJecSBtx7Xfd0m90+vjmvWevMag442349aquR/qLo0mg40mhcCqSBw/MjaIGZ2F5XRufG1WEP43OgLMTixN2lLSU3eYTrv5t075taI9WJgoOl0DD8UA74EMpX7RMKTiXD6C0XngKmMKg5fUK7JNLFfwHMRPi4zNTwJa9ViDyD0iAJrGGbmMso/nHEtwOtrLE5Rrf0kLQ5N6Lj57gOBdqu903/vDM4Jm695GvEWL2aR3ShOxasHCuZeXj8Q5+KYWeF9sySiJH8bwEtaw6x7j9AxBOwjxWYD0Jvj9KhtlqBa4okSDc3bcgRKGhsSXQx6jOumI5rj+V542hkB6Z8JOtJ17VmzR6XDQDmqSl1FqqwKD5n5yUy5Kf6pJYBnsgKn3TzesQ6JfQbyRLTh1Pn3odOYCnp+Ixbd0Tgn0n5m0KO3RX0hiwGoe0hObIZcsF36g==
  template:
    data: null
    metadata:
      name: secret-example
      namespace: kube-system

Apply the sealed secret to the cluster:

$ k create -f sealed-secret-example.yaml
sealedsecret.bitnami.com/secret-example created

$ k get sealedsecrets.bitnami.com
NAME          AGE
secret-example   6s

The controller decrypts the sealed secret and creates the original Secret object:

$ k get secrets | grep secret-example
secret-example   Opaque   1   2m15s

Inspect the generated secret to verify that data.secret matches the original base64 value:

$ k get secret secret-example -o yaml
apiVersion: v1
data:
  secret: bXlzdXBlcnNlY3JldAo=
kind: Secret
metadata:
  name: secret-example
  namespace: kube-system
  ...

Note: SealedSecret and the corresponding Secret must reside in the same namespace.

Tips

kubeseal

supports the following API routes: Route Description /healthz Health check route for readiness and liveness probes. /metrics Prometheus metrics endpoint. /v1/verify Validates a secret. /v1/rotate Rotates the secret. /v1/cert.pem Retrieves the public certificate.

You can provide your own certificate to the controller for easier migration and management.

To avoid accidental secret leakage when mounting secrets from other namespaces, restrict access with RBAC policies as described in the official README.

Reference

How to manage all my K8s secrets in git securely with Bitnami Sealed Secrets