HighSkill

Managing Secrets in Kubernetes with Sealed Secrets

Managing Secrets in Kubernetes with Sealed Secrets

Managing Secrets with 'Sealed Secrets' in a Kubernetes Cluster

Kubernetes is the de facto platform for deploying, scaling, and managing containerized applications. But as your cluster grows, managing secrets — like API keys, passwords, and tokens — becomes crucial. This is where 'Sealed Secrets' comes into play. In this post, we’ll explore how to manage your secrets securely using 'Sealed Secrets' in a Kubernetes cluster.

Why Manage Secrets?

Managing secrets is vital for:

  • Security: Protect sensitive data from unauthorized access.
  • Compliance: Ensure that your application meets regulatory standards.
  • Maintainability: Keep secrets organized and easily accessible to the right components.

What Are Sealed Secrets?

Sealed Secrets is a tool created by Bitnami that leverages the power of Kubernetes. It allows you to manage your secrets in a secure manner, ensuring they are version-controlled and encrypted. The SealedSecrets custom resource is encrypted using a key pair unique to the cluster.

How Sealed Secrets Works

Sealed Secrets uses asymmetric encryption:

  1. Encryption: A public key is used to encrypt the secret.
  2. Decryption: The corresponding private key is used to decrypt the secret within the Kubernetes cluster.

Once encrypted, the secrets can be safely stored in version control and managed alongside your other Kubernetes resources. It adds an extra layer of security while simplifying secret management.

Setting Up Sealed Secrets

1. Install Kubeseal

Kubeseal is a CLI tool that you'll use to create Sealed Secrets. Install it by running:

brew install kubeseal

2. Deploy SealedSecrets Controller

Deploy the SealedSecrets controller into your Kubernetes cluster. Use the following command:

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/controller.yaml

3. Encrypting Secrets

To create a SealedSecret, you first need a regular Kubernetes Secret. Here's an example secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

Use kubeseal to encrypt the secret:

kubectl create -f secret.yaml --dry-run=client -o json | kubeseal --format yaml > sealedsecret.yaml

Now, sealedsecret.yaml contains the encrypted secret.

Working with Sealed Secrets

1. Apply Sealed Secrets

Apply the SealedSecret to your cluster:

kubectl apply -f sealedsecret.yaml

Once applied, the controller automatically decrypts it and creates the original Secret.

2. Updating Sealed Secrets

To update a SealedSecret, you have to update the original Secret, re-run the kubeseal command, and apply the new SealedSecret.

3. View the Sealed Secret

To view your SealedSecret in Kubernetes, use:

kubectl get sealedsecret my-secret -o yaml

This will display the encrypted data.

Best Practices

1. Store Sealed Secrets in Version Control

Since Sealed Secrets are encrypted, you can safely store them in your version control system. This ensures your secrets are versioned and can easily be rolled back if necessary.

git add sealedsecret.yaml
git commit -m "Add sealed secret"
git push origin main

2. Namespace Separation

For granular access control, manage Sealed Secrets in namespaces:

metadata:
  name: my-secret
  namespace: prod

3. Rotate Secrets Regularly

Rotate your secrets regularly to minimize risk in case of a leaked key.

4. Use RBAC

Implement strict Role-Based Access Control (RBAC) policies to ensure that only authorized entities can access and manage secrets.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prod
  name: secret-manager
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "delete"]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-manager-binding
  namespace: prod
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secret-manager
subjects:
- kind: User
  name: "[email protected]"

Challenges and Solutions

1. Key Management

Ensure proper management of the key pairs. Rotate keys regularly and store them securely.

2. Complexity

Encryption and decryption add to the complexity. Use scripts to automate common tasks and reduce human error.

3. Access Control

Implement strict access controls to manage who can encrypt/decrypt secrets.

Conclusion

Sealed Secrets offers a secure, efficient way to manage secrets in your Kubernetes cluster. By encrypting your secrets and safely storing them in version control, you enhance both security and maintainability. Implement these practices and your cluster will be secure and manageable.

Got any questions about Sealed Secrets? Leave a comment below or share this post on social media to spread the knowledge!

Additional Resources

By managing secrets more effectively, you're not just securing your applications; you're also ensuring a smoother, more reliable deployment process. Happy coding!

SHARE