BestHub
Sign in
Cloud Native 5 min read

Secure Kubernetes Secrets with kubeseal: Installation & Usage Guide

This article explains how to install kubeseal and its controller, create and encrypt Kubernetes Secret manifests, apply sealed secrets, and provides useful tips on API routes, custom certificates, and RBAC to securely manage secrets in a cloud‑native environment.

Raymond Ops
Raymond Ops
Raymond Ops
Secure Kubernetes Secrets with kubeseal: Installation & Usage Guide

Installation

kubeseal binary

<code>wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
tar -xvf kubeseal-0.18.0-linux-amd64.tar.gz
cp kubeseal /usr/local/bin/
kubeseal --version</code>

controller

<code>kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml
# Verify pod
kubectl get pod -n kube-system | grep seal
# Port‑forward
kubectl -n kube-system port-forward svc/sealed-secrets-controller 8080:8080</code>

Usage

Create secret manifest

<code>apiVersion: v1
kind: Secret
metadata:
  name: secret-example
data:
  secret: bXlzdXBlcnNlY3JldAo=</code>

Seal the secret

<code>kubeseal --secret-file secret-example.yaml --sealed-secret-file sealed-secret-example.yaml</code>

The generated

sealed-secret-example.yaml

contains an encrypted

spec.encryptedData.secret

field.

Apply sealed secret

<code>kubectl create -f sealed-secret-example.yaml
kubectl get sealedsecrets.bitnami.com</code>

The controller decrypts it and creates a regular

Secret

in the same namespace. You can view it with:

<code>kubectl get secret secret-example -o yaml</code>

Note: The

SealedSecret

and the resulting

Secret

must reside in the same namespace.

Tips

kubeseal provides API routes such as

/healthz

,

/metrics

,

/v1/verify

,

/v1/rotate

,

/v1/cert.pem

.

You can supply your own certificate to the controller for easier migration.

Use RBAC to restrict which namespaces and resources users can access, preventing accidental secret leakage.

cloud-nativekubernetesSecret Managementkubesealsealed-secrets
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment