kubeseal

Seal Kubernetes secrets for secure storage

TLDR

Encrypt a Kubernetes secret from a YAML file into a SealedSecret (default JSON output)

$ kubeseal < [secret.yaml] > [sealedsecret.json]

Encrypt a secret, outputting it in YAML or JSON format, using a bearer token for API authentication

$ kubeseal [[-o|--format]] [yaml|json] --token [my-bearer-token] < [secret.yaml] > [sealedsecret.yaml]

Seal a secret using a specific controller namespace of sealed-secrets controller and name

$ kubeseal --controller-namespace [controller-namespace] --controller-name [controller-name] < [secret.yaml] > [sealedsecret.yaml]

Encrypt a raw secret value from a file with a specified name and scope

$ kubeseal --raw --from-file [path/to/secret.txt] --name [my-secret] --scope [strict|namespace-wide|cluster-wide] > [sealedsecret.yaml]

Fetch the controller's public certificate for offline sealing with basic auth

$ kubeseal --fetch-cert --username [username] --password [password] > [cert.pem]

Seal a secret offline using a fetched certificate

$ kubeseal --cert [cert.pem] < [secret.yaml] > [sealedsecret.yaml]

Merge a secret into an existing SealedSecret file in-place

$ kubeseal --merge-into [sealedsecret.yaml] < [secret.yaml]

Validate a SealedSecret without applying it

$ kubeseal --validate < [sealedsecret.yaml]

--cert
    Public key certificate used to encrypt secrets (required unless --controller-name and --controller-namespace are specified).

--controller-name
    Name of the SealedSecrets controller (default: sealed-secrets-controller).

--controller-namespace
    Namespace where the SealedSecrets controller is running (default: kube-system).

--data-key
    Specify the name of the data key to seal for the secret. Can be specified multiple times.

--decode
    Decode SealedSecret into Secret.

--format
    Output format for sealed secrets: yaml, json (default: yaml)

--from-file
    Read secret data from files. Format is =.

--from-literal
    Specify a key and literal value to insert into secret (e.g. --from-literal=key1=value1). Can be specified multiple times.

--help
    Show help message.

--input-file
    Read secret data from file. If not specified, reads from standard input.

--merge-into
    Merge sealed secret into existing file.

--namespace
    Namespace for the SealedSecret (default: same as input secret or default namespace).

--output-type
    Output type for SealedSecret: secret, sealedsecret (default: sealedsecret).

--scope
    Scope of the SealedSecret: cluster-wide, namespace-wide, strict (default: strict).

--secret-name
    Name of the existing Secret to seal, or the name of the SealedSecret if --decode is used.

--update-annotations
    Update annotations in the SealedSecret (if already existing).

--validate-cert
    Validate the certificate presented by the SealedSecrets controller.

--version
    Show version

DESCRIPTION

kubeseal is a command-line tool designed to encrypt Kubernetes Secrets into SealedSecrets, a custom resource definition (CRD). This allows you to safely store your Kubernetes secrets in public repositories like Git, enabling GitOps workflows. The tool encrypts the secret data using asymmetric encryption with a public key that is embedded within the SealedSecret resource and a private key held by the SealedSecrets controller running in your Kubernetes cluster. Only the controller with the corresponding private key can decrypt and unseal the secrets, even if someone gains access to your Git repository or YAML manifests. This significantly improves the security of managing secrets in version control systems. kubeseal simplifies the process of creating SealedSecrets from existing Secrets, YAML files, or standard input. It uses the public key fetched from the SealedSecrets controller to encrypt the sensitive data.

CAVEATS

Ensuring the correct public key is used is crucial; otherwise, the SealedSecret will be unusable. If the SealedSecrets controller's key rotates, existing SealedSecrets need to be re-sealed. Be aware of the different scopes and their security implications.

SCOPE OPTIONS

The --scope option controls which nodes and namespaces have access to the sealed secret once it's deployed. Strict - SealedSecret will only unseal to secrets of the same name and namespace. Namespace-wide - SealedSecret will unseal to secrets with same name in any namespace. Cluster-wide - SealedSecret will unseal to secrets with the same name in any namespace, on any cluster.
This allows greater flexibility but reduces security.

HISTORY

kubeseal was developed as part of the SealedSecrets project to address the challenge of securely managing Kubernetes Secrets within GitOps workflows. It provides a convenient way to encrypt and decrypt secrets, ensuring sensitive information remains protected during storage and transit. The tool has seen active development and wide adoption within the Kubernetes community, addressing the security needs of cloud-native applications.
Initially created by Bitnami, and then transitioned to community ownership.