Securing Kubernetes Secrets with Sealed Secrets: A Hands-On Guide
We have seen why we want to secure our secrets in our last blog. If you haven't read that please read that using below link.
In this blog we will explore sealed secrets.
We need to install Controller and Kubeseal to use sealed secret.
- First install Controller using below helm command.
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
- Now install it using below command.
helm install sealed-secrets -n sealed-secret sealed-secrets/sealed-secrets --create-namespace
- Now install Kubeseal using below command if you are using mac:
brew install kubeseal
If you are using any other operating system then you can install kubeseal using this link
- Create secret manifest file(Which can be shared over github or other source code repo) using following command.
kubectl create secret generic database-cred --dry-run=client --from-literal=username=admin --from-literal=password=supersecret -oyaml | \
kubeseal \
--controller-name=sealed-secrets \
--controller-namespace=sealed-secret \
--format yaml > mysealedsecret.yaml
Now if check you secret manifest file. You will see your secret data is now sealed. Even if you upload on any source code repo , it is still secure . No one can decrypt it.
Whenever you will use this manifest file then it will be convert into base64 format in secret by sealed-secret.
By following these steps, you can securely store your secrets in Kubernetes using Sealed Secrets. This method ensures that your sensitive data remains encrypted, even if the manifest files are stored in a version control system or shared publicly. However, it's important to note that Sealed Secrets do not support automatic rotation of secrets. This means that if your secret data changes frequently, you'll need to manually update and reseal your secrets.
In our next blog, we will explore another method for managing secrets in Kubernetes: External Secret Operator (ESO) with Google Secret Manager. This approach offers dynamic secret management and may address some of the limitations of Sealed Secrets. Stay tuned!
