Introduction to Sealed Secrets in Kubernetes

Sealed Secrets Fundamentals

Creating Kubernetes Secret

In this step, we’ll generate a standard Kubernetes Secret manifest that can later be sealed and encrypted with kubeseal. By outputting the YAML without applying it, you get full control over your secret definitions.

1. Generate the Secret YAML

Use the following command to create a generic Secret named database in the default namespace. The DB_PASSWORD key is set to password123.

kubectl create secret generic database \
  -n default \
  --from-literal=DB_PASSWORD=password123 \
  --dry-run=client \
  -o yaml > secret.yaml
OptionDescriptionExample
create secret generic <name>Creates a generic Secret resourcekubectl create secret generic database
-n <namespace>Specifies the target namespace-n default
--from-literal=KEY=VALUEAdds literal key-value pairs to the Secret--from-literal=DB_PASSWORD=password123
--dry-run=client -o yamlOutputs the manifest without applying it--dry-run=client -o yaml

Note

Kubernetes Secrets store data as base64-encoded strings, not encrypted values. Always seal or encrypt sensitive data before committing to version control.

2. Inspecting the Generated YAML

Your secret.yaml will look like this:

apiVersion: v1
kind: Secret
metadata:
  name: database
  namespace: default
data:
  DB_PASSWORD: cGFzc3dvcmQxMjM=

3. Verifying the Base64 Encoding

To confirm the encoding, decode the DB_PASSWORD field:

echo cGFzc3dvcmQxMjM= | base64 --decode
# password123

4. Next Steps: Sealing the Secret

Now that you have secret.yaml, pass it through kubeseal to produce a secure SealedSecret:

kubeseal --format yaml < secret.yaml > sealedsecret.yaml

This encrypted manifest can be safely stored in Git and applied to any cluster that holds your Sealed Secrets key.


References

Watch Video

Watch video content

Previous
Establishing Connection between Kubeseal and Kubernetes Cluster