Using sealed secrets in Kubernetes

European handicapped girl in vr glasses on sofa at home. Healing technology, robotic limb.
Reading Time: 3 minutes

This is a practical implementation of the previous blog: Introduction to Sealed Secrets in Kubernetes.
In this blog, we will create secrets in Kubernetes with the help of sealed secrets.


  1. controlplane with access to a k8s cluster

Install kubeseal

Kubeseal is a CLI tool that seals a secret with the help of the controller’s public key and creates a CRD for the sealed secret.


tar -xvzf kubeseal-0.19.2-linux-amd64.tar.gz

install -m 755 kubeseal /usr/local/bin/kubeseal

Install Sealed Secret Controller on Kubernetes

Sealed secret controller will create a key pair consisting of a private and a public key to encrypt and decrypt a secret.

kubectl apply -f

Check the logs of the controller

It will search for a secret with the label in its namespace. If it does not get one, it will create a new one in its namespace and will print the public key portion of the key pair to its output logs.

Check the secret created by the controller to hold the private key

kubectl get secret -n kube-system -l -o yaml

This will display the tls.crt and tls.key.

Create secret.yaml

apiVersion: v1
kind: Secret
name: sealed-secret
namespace: test

Create Sealed Secret via kubeseal

cat secret.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets-controller \
--format yaml \
> sealed-secret.yaml

Apply the sealed secret

kubectl create ns test

kubectl apply -f sealed-secret.yaml

Check if the sealed secret is created or not

kubectl get sealedsecret -n test -o yaml

Check if the secret is created or not

kubectl get secret sealed-secret -n test -o yaml

Sealed secrets manage the secrets created by the controller

If we delete the sealedsecret, the corresponding secret will also be deleted

Disaster Recovery for sealed secrets

Without the private key that is managed by the controller, there is no way to decrypt the encrypted data within a SealedSecret.

  • Create a backup of the private key and copy the content to a master.yaml file
    kubectl get secret -n kube-system -l -o yaml > master.yaml
  • Delete the secret and sealed secret created previously
    kubectl delete secret -n kube-system -l
  • Delete the controllers deployment from the cluster
    kubectl delete -f
  • Apply the secret containing the private key.
    kubectl apply -f master.yaml
  • Deploy the controller again
    kubectl apply -f
  • Check the logs of the controller
    Controller will fetch the existing secret before trying to create a new key-pair. If it finds the key-pair, it wont create a new one.

As it depicts, the controller took the private key present in the secret called sealed-secrets-key9b5qd.

Hey, readers! Thank you for sticking up till the end. If you have any questions/feedbacks regarding this blog, I am reachable at You can find more of my blogs here.

Written by 

Vidushi Bansal is a Software Consultant [Devops] at Knoldus Inc. She is passionate about learning and exploring new technologies.