Secure Kubernetes Secrets with Sealed Secrets: A Step‑by‑Step Guide
This tutorial explains how to install kubeseal and its controller, encrypt Kubernetes secrets into SealedSecret resources, apply them to a cluster, and let the controller automatically decrypt them back into regular secrets, ensuring safer secret management in cloud‑native environments.
In Kubernetes management, secrets are hard to maintain; kubeseal offers a simple way to encrypt raw secret resources and decrypt them via a controller, reducing secret leakage risk.
Installation
kubeseal
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
tar -xvf kubeseal-0.18.0-linux-amd64.tar.gz
cp kubeseal /usr/local/bin/
kubeseal --versioncontroller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yamlAfter applying, a controller pod runs in the kube-system namespace:
kubectl get pod -n kube-system | grep seal
sealed-secrets-controller-... 1/1 RunningPort‑forward the controller to the local machine:
kubectl -n kube-system port-forward svc/sealed-secrets-controller 8080:8080Usage
Create an unencrypted secret file
apiVersion: v1
kind: Secret
metadata:
name: secret-example
data:
secret: bXlzdXBlcnNlY3JldAo=Encrypt it with kubeseal:
kubeseal --secret-file secret-example.yaml --sealed-secret-file sealed-secret-example.yamlThe generated sealed-secret-example.yaml contains an encrypted data field:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: secret-example
namespace: kube-system
spec:
encryptedData:
secret: AgB1ZZg8+J+0HLymOQZdTfWVQZiNkhm5X6WULJuBAAEaQQNhM8i2TV2I1SgKT4sUOCRv90XA1oeFld3XoGPjvYE3leOD1cvK1dDVqno6mNLRziokISk/9fB3cVE2GVgyCud//M53xNpVemDufgsJS2q/KGIOeNEijk9ZM2FaKoLDwtPaVNL0NfmC2xne2XtWJp+/eMOREhbubQhnj5M/Se75axazviuDNf6Ss9fAuR38Msd5DXnKBtyrckEHSa8TDn8ErssOh0ogX14e0/ThN3EWJecSBtx7Xfd0m90+vjmvWevMag442349aquR/qLo0mg40mhcCqSBw/MjaIGZ2F5XRufG1WEP43OgLMTixN2lLSU3eYTrv5t075taI9WJgoOl0DD8UA74EMpX7RMKTiXD6C0XngKmMKg5fUK7JNLFfwHMRPi4zNTwJa9ViDyD0iAJrGGbmMso/nHEtwOtrLE5Rrf0kLQ5N6Lj57gOBdqu903/vDM4Jm695GvEWL2aR3ShOxasHCuZeXj8Q5+KYWeF9sySiJH8bwEtaw6x7j9AxBOwjxWYD0Jvj9KhtlqBa4okSDc3bcgRKGhsSXQx6jOumI5rj+V542hkB6Z8JOtJ17VmzR6XDQDmqSl1FqqwKD5n5yUy5Kf6pJYBnsgKn3TzesQ6JfQbyRLTh1Pn3odOYCnp+Ixbd0Tgn0n5m0KO3RX0hiwGoe0hObIZcsF36g==Apply the sealed secret to the cluster:
kubectl create -f sealed-secret-example.yaml
kubectl get sealedsecrets.bitnami.comThe controller decrypts it and creates the original secret:
kubectl get secrets | grep secret-example
secret-example Opaque 1 2m15sInspect the generated secret to verify that its data matches the original: kubectl get secret secret-example -o yaml Note: The SealedSecret and its corresponding Secret must reside in the same namespace.
Tips
kubesealprovides health, metrics, verification, rotation, and certificate endpoints.
You can supply a custom certificate to the controller for easier migration and management.
Be aware that mounting a secret from another namespace can expose it; use RBAC to restrict namespace and resource access.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.