Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Managing Sensitive Data (Secrets)

Kubernetes provides native support for Secrets through its core functionality.

While Secret resources are designed to manage sensitive data, they are typically handled in API calls and manifests as base64-encoded data. This data is not encrypted and can be easily decoded to plaintext, which presents security risks. Typically, Kubernetes resource manifests are managed in git repositories using GitOps or Infrastructure as Code (IaC) practices in YAML format. However, since Secret data can be easily decoded to plaintext, storing it directly in a git repository is inappropriate.

PFCP addresses this limitation by offering SealedSecret, a mechanism for encrypting sensitive data so that it can be managed alongside regular Kubernetes manifests using GitOps methods.

Overview

A SealedSecret is a resource containing encrypted sensitive data that can be stored in a git repository.

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
  namespace: mynamespace
spec:
  encryptedData:
    foo: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq..... # Encoded encrypted sensitive data

When this SealedSecret resource is applied to the cluster, it is decrypted using cluster-internal keys and transformed into a standard Secret resource.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: mynamespace
data:
  foo: YmFy # Base64-encoded "bar"

Creating a SealedSecret

To create a SealedSecret, you can use the kubeseal command. There are multiple installation methods for kubeseal; please refer to the sealed-secrets documentation. We recommend using releases maintained by Bitnami.

First, create a regular Kubernetes Secret and save it to a file. You can use the kubectl command for this:

echo -n secret-data | kubectl create secret generic mysecret \
    --dry-run=client \
    --from-file=secret-name=/dev/stdin \
    -o yaml >secret.yaml

This will generate a file with the following content:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
data:
  secret-name: c2VjcmV0LWRhdGE=

Next, use the kubeseal command to create a SealedSecret. kubeseal retrieves the public key (certificate) from the sealed-secrets controller running in your cluster, encrypts the Secret using this public key, and outputs the SealedSecret.

kubeseal \
    --controller-namespace sealed-secrets-org-<organization-name> \
    -f secret.yaml \
    -o yaml > sealedsecret.yaml

This will generate a file with the following content:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
spec:
  encryptedData:
    secret-name: "AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq....."

You can now store this sealedsecret.yaml file in your git repository.

Note

The secret.yaml file contains unencrypted sensitive data and should never be stored in a git repository.

git add sealedsecret.yaml
git commit -m "add new secret"

When applying the SealedSecret to your cluster, it will be automatically decrypted by the cluster and can be used just like a regular Kubernetes Secret. For detailed information, please refer to the Kubernetes documentation.

Managing Public and Private Keys

The key pair (public and private keys) used for encrypting and decrypting sensitive data is organization-specific and is primarily managed by PFCP. Users do not need to manage these keys themselves. The public and private keys are automatically rotated at regular intervals. Rest assured that the private key exists only within the cluster.