Simplifying Kubernetes Secret Management with Sealed Secrets: A Comprehensive Guide
Table of contents
- Introduction:
- Pros and Cons of Sealed Secrets:
- Prerequisites:
- Installation of Sealed Secrets:
- Installing the kubeseal Client:
- Installing the Custom Controller and CRD for SealedSecret:
- Creating a Sealed Secret:
- Applying a Sealed Secret:
- Managing Sealed Secrets:
- Retrieve the public key certificate using kubeseal:
- Encrypt existing secrets and apply them to the cluster:
- Update deployments to use sealed secrets:
- Updating a Sealed Secret:
- Deleting a Sealed Secret:
- Verify the Sealed Secret:
- Conclusion:
Introduction:
In the world of Kubernetes, safeguarding sensitive information during application deployment is of utmost importance. Kubernetes provides the Secret resource for storing sensitive data, but ensuring its encryption and security is crucial. Sealed Secrets, a powerful Kubernetes controller and tool, has emerged as a solution to streamline the secure storage and deployment of encrypted secrets.
Pros and Cons of Sealed Secrets:
Pros:
Enhanced Security: Sealed Secrets encrypts and secures sensitive data, providing an additional layer of protection against unauthorized access.
Simplified Management: The tool simplifies the process of managing and deploying encrypted secrets, making it more accessible for users.
Version Control: Sealed Secrets facilitates version control of encrypted secrets, improving traceability and aiding in auditing processes.
Cons:
Additional Complexity: Introducing an extra layer of complexity to secret management might be challenging for some users, especially those new to Kubernetes.
Learning Curve: Users may require time to understand and adapt to the Sealed Secrets workflow, potentially causing a learning curve for some teams.
Prerequisites:
Before diving into Sealed Secrets, ensure you have the following:
A running Kubernetes cluster.
Local installation of kubectl, the Kubernetes command-line tool.
Helm, the Kubernetes package manager. Install it following the provided instructions.
Installation of Sealed Secrets:
The recommended installation method for Sealed Secrets is using Helm. Follow these simplified steps:
Step 1: Add the Sealed Secrets Helm repository
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
Step 2: Install Sealed Secrets into your cluster
helm install sealed-secrets sealed-secrets/sealed-secrets
This deploys the Sealed Secrets controller in your cluster, enabling you to create Sealed Secrets.
Installing the kubeseal Client:
For Linux x86_64 systems:
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
tar xfz kubeseal-0.18.0-linux-amd64.tar.gz
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
For MacOS systems:
brew install kubeseal
Installing the Custom Controller and CRD for SealedSecret:
Install the SealedSecret CRD, controller, and RBAC artifacts on your EKS cluster:
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml
kubectl apply -f controller.yaml
Check the controller pod status:
kubectl get pods -n kube-system | grep sealed-secrets-controller
Basic Usage:
Creating a Sealed Secret:
Create a Kubernetes Secret (my-secret.yaml):
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: <base64-encoded-username>
password: <base64-encoded-password>
Seal the Secret:
kubectl apply -f my-secret.yaml
Applying a Sealed Secret:
When deploying a pod that needs access to the secret (deployment.yaml):
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-container
image: my-image
envFrom:
- secretRef:
name: my-secret
Managing Sealed Secrets:
Retrieve the public key certificate using kubeseal:
kubeseal --fetch-cert > public-key-cert.pem
Encrypt existing secrets and apply them to the cluster:
kubectl get secret your-secret-name -o yaml | kubeseal --cert sealed-secrets-cert.pem > sealed-your-secret-name.yaml
kubectl apply -f sealed-your-secret-name.yaml
Update deployments to use sealed secrets:
envFrom:
- secretRef:
name: sealed-your-secret-name
Updating a Sealed Secret:
Update the original Secret and seal it:
kubectl apply -f my-updated-secret.yaml
Deleting a Sealed Secret:
kubectl delete sealedsecret my-secret
This deletes both the Sealed Secret and its decrypted representation.
Verify the Sealed Secret:
kubectl get sealedsecrets
kubectl get secrets
Conclusion:
Sealed Secrets simplifies sensitive data management in Kubernetes by providing an encrypted layer for secrets. With secure storage and deployment capabilities, Sealed Secrets enhances the security of your Kubernetes applications. While it introduces some complexity, the benefits in terms of enhanced security and simplified management outweigh the learning curve for many users.