Logo GhassenBLOG
Using Kubeseal with Kubernetes

Using Kubeseal with Kubernetes

Ghassen Ouertani Ghassen Ouertani
February 23, 2025
3 min read
Kubernetes kubeseal
Next Post Provisioning a VPS in Hetzner using Terraform
Previous Post Last post!
Table of Contents

Using Kubeseal with Kubernetes

What is Kubeseal?

Kubeseal is a tool that helps securely manage Kubernetes secrets. It allows you to encrypt secrets before storing them in Git, ensuring they remain safe from unauthorized access. The Sealed Secrets Controller, running inside your Kubernetes cluster, decrypts these secrets when applied, providing a seamless way to manage secrets securely.

Benefits of Using Kubeseal

  • Security: Secrets are encrypted before being stored in version control systems.
  • GitOps Friendly: Sealed secrets can be stored safely in Git repositories without risk.
  • Access Control: Only the Kubernetes cluster with the right private key can decrypt the secrets.
  • Automation: Works seamlessly with CI/CD pipelines to manage secrets efficiently.

Prerequisites

Before using Kubeseal, ensure you have the following installed:

  • A running Kubernetes cluster
  • The kubectl CLI tool
  • The Kubeseal CLI (kubeseal)
  • The Sealed Secrets Controller installed in your cluster

Step-by-Step Guide

1. Install Sealed Secrets Controller

To install the Sealed Secrets controller, run:

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.23.0/controller.yaml

This deploys the Sealed Secrets controller in the kube-system namespace.

2. Install Kubeseal CLI

You can install kubeseal locally using:

# macOS
brew install kubeseal
 
# Linux
wget https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/kubeseal-linux-amd64 -O kubeseal
chmod +x kubeseal
sudo mv kubeseal /usr/local/bin/

3. Create and Seal a Secret

  1. Create a Kubernetes Secret:

    kubectl create secret generic my-secret \
  --from-literal=username=admin \
  --from-literal=password=supersecret \
  --dry-run=client -o yaml > my-secret.yaml

  2. Seal the Secret using Kubeseal:

    kubeseal --controller-namespace kube-system \
  --format yaml < my-secret.yaml > my-sealed-secret.yaml

    This generates my-sealed-secret.yaml, which can be safely stored in Git.

  3. Apply the Sealed Secret to the cluster:

    kubectl apply -f my-sealed-secret.yaml

4. Verify and Retrieve the Secret

To verify the Secret was decrypted correctly:

kubectl get secret my-secret -o yaml

The secret will appear encrypted in the YAML output.

5. Decrypting the Secret (For Debugging)

If you need to retrieve the original secret values:

kubectl get secret my-secret -o jsonpath='{.data}' | jq -r 'to_entries | .[] | "\(.key): \(.value | @base64d)"'

Conclusion

Using Kubeseal, you can safely store encrypted secrets in Git and automate secret management in Kubernetes. This ensures better security and compliance in your DevOps workflows.

Have questions? Leave a comment below! 🚀

Next Post Provisioning a VPS in Hetzner using Terraform
Previous Post Last post!