BestHub
Sign in
Cloud Native 5 min read

Secure Kubernetes Secrets with kubeseal: Installation & Usage Guide

This article explains how to install kubeseal and its controller, create and encrypt Kubernetes Secret manifests, apply sealed secrets, and provides useful tips on API routes, custom certificates, and RBAC to securely manage secrets in a cloud‑native environment.

Raymond Ops
Raymond Ops
Raymond Ops
Secure Kubernetes Secrets with kubeseal: Installation & Usage Guide

Installation

kubeseal binary

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
tar -xvf kubeseal-0.18.0-linux-amd64.tar.gz
cp kubeseal /usr/local/bin/
kubeseal --version

controller

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml
# Verify pod
kubectl get pod -n kube-system | grep seal
# Port‑forward
kubectl -n kube-system port-forward svc/sealed-secrets-controller 8080:8080

Usage

Create secret manifest

apiVersion: v1
kind: Secret
metadata:
  name: secret-example
data:
  secret: bXlzdXBlcnNlY3JldAo=

Seal the secret

kubeseal --secret-file secret-example.yaml --sealed-secret-file sealed-secret-example.yaml

The generated sealed-secret-example.yaml contains an encrypted spec.encryptedData.secret field.

Apply sealed secret

kubectl create -f sealed-secret-example.yaml
kubectl get sealedsecrets.bitnami.com

The controller decrypts it and creates a regular Secret in the same namespace. You can view it with: kubectl get secret secret-example -o yaml Note: The SealedSecret and the resulting Secret must reside in the same namespace.

Tips

kubeseal provides API routes such as /healthz, /metrics, /v1/verify, /v1/rotate, /v1/cert.pem.

You can supply your own certificate to the controller for easier migration.

Use RBAC to restrict which namespaces and resources users can access, preventing accidental secret leakage.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

cloud-nativeKubernetesSecret ManagementKubeSealSealed Secrets
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment