This document summarizes a presentation on Sealed Secrets in Kubernetes. Sealed Secrets allow sensitive information like passwords or tokens to be encrypted when stored in a public repository. The presentation covers: 1. What Sealed Secrets are and why they are used to securely store secrets in public repositories. 2. The components of Sealed Secrets including the controller, kubeseal CLI tool, and Sealed Secret custom resource. 3. How Sealed Secrets work by encrypting secret values with a public key from the controller and decrypting with the private key when applied to a Kubernetes cluster.

1. Presented By:
Vidushi Bansal
(Devops Studio)
Sealed Secrets

2. Lack of etiquette and manners is a huge turn off.
KnolX Etiquettes
Punctuality
Respect Knolx session timings, you
are requested not to join sessions
after a 5 minutes threshold post
the session start time.
Feedback
Make sure to submit a constructive
feedback for all sessions as it is
very helpful for the presenter.
Silent Mode
Keep your mobile devices in silent
mode, feel free to move out of
session in case you need to attend
an urgent call.
Avoid Disturbance
Avoid unwanted chit chat during
the session.

3. Our Agenda
01 What are sealed secrets?
02 Why to use sealed secrets?
03 Components of sealed secrets
04 How it works?
05 Demo

4. Prerequisites

5. Kubernetes is an open source container orchestration
engine for automating deployment, scaling, and
management of containerized applications. The open
source project is hosted by the Cloud Native Computing
Foundation. Kubernetes is a portable, extensible, open
source platform for managing containerized workloads
and services, that facilitates both declarative
configuration and automation. It has a large, rapidly
growing ecosystem. Kubernetes services, support, and
tools are widely available.
NODE
Kubernetes

6. A Secret is a resource that manages the deployment of
sensitive information, such as passwords, OAuth tokens,
and SSH keys.
It is suggested to store the sensitive information as a
secret resource rather than having it imbibed in an
environment variable.
Secrets can be mounted as data volumes or exposed as
environment variables to the containers in a Kubernetes
Pod.
Secrets in k8s are stored in a centralized repository
named etcd in a base64 encoded format
NODE
Secrets in Kubernetes

7. The data in a Secret is obfuscated by using merely
Base64 encoding. This encoding method does not
encrypt the data within it.
Storing such files in a Git repository is extremely
insecure as it is trivial to decode the Base64-encoded
data. Often developers accidentally check these files into
their Git repositories, thus exposing sensitive
information—such as credentials—to their production
databases.
Applications may also tend to expose the secrets in audit
logs and monitoring systems.
Problems with Secrets in Kubernetes

8. We can follow these steps to safely use the secrets in
kubernetes:
1. Enable Encryption at Rest
2. Enable or configure RBAC rules to restrict access to
the secrets in a cluster
3. Restrict Secret access to specific containers, or the
containers that requires access to the secret to
perform their operations.
4. Consider using external Secret store providers
Suggestions for secret management

9. GitOps is an approach in which a Git repository is
designated as the single source of truth for deployment
artifacts, such as YAML files, that provide a declarative way
to describe the cluster state.
With GitOps, organizations can manage their entire
infrastructure and application development lifecycle using a
single, unified tool. This allows for greater collaboration and
coordination between teams and results in fewer errors and
faster problem resolution. In addition, GitOps enables
organizations to take advantage of the latest DevOps
practices and tools, such as containerization and
microservices.
Gitops
Configuration
Files
Secrets
Source Code
CI/CD Deployment executing real
time changes

10. What are Sealed
Secrets?

11. Sealed Secrets are a "one-way" encrypted Secret that can be
created by anyone, but can only be decrypted by the controller
running in the target cluster. The Sealed Secret is safe to
share publicly, upload to git repositories. Once the Sealed
Secret is safely uploaded to the target Kubernetes cluster, the
sealed secrets controller will decrypt it and recover the original
Secret.
What are sealed secrets?
Sensitive Information Sealed via sealed
secrets
Controller has a
private key to
decrypt the secret
Secret is decrypted

12. Why to use Sealed
Secrets?

13. We cannot store sensitive information like passwords or secret
tokens in a public repository.
Secrets are stored in a non-encrypted format (base64
encoding) in the etcd datastore.
This introduces the challenge of safely storing Secret manifests
in repositories privately or publicly.
Because of the nature of Kubernetes Secrets, this is a huge
risk because the original sensitive credentials and values can
easily be derived from the base64 encoding format.
Why to use sealed secrets?
vidushi dmlkdXNoaQo=

14. Components of
Sealed Secrets

15. Sealed secrets comprises of these three components for its functionality:
1. A controller deployed to the cluster
2. A CLI tool called kubeseal
3. A customer resource definition called Sealed Secret
Controller: It is responsible for managing the sealed secret deployment. The primary task
for the controller is to manage the private and public keys for encryption and decryption
purposes.
Kubeseal: It is a CLI tool that creates a CRD for sealed secrets from a secret. It
communicates with the controller and retrieve the public key needed for encrypting the
secrets.
CRD: It is a custom resource definition that we can apply in our kubernetes cluster to create
a secret.
Components of Sealed Secrets
Sealed
Secrets
Controller
Kubeseal
client
Sealed Secret CRD

16. How to use Sealed
Secrets?

17. The controller generates a 4096-bit RSA key pair. The private key is stored in
the form of secret where as the public key is made public to encrypt the
secret.
Kubeseal uses this public key from the controller to seal the secret values.
The value is symmetrically encrypted using AES-256 with a randomly
generated session key.
The session key is asymmetrically encrypted with the controller’s public key
using SHA256.
Kubeseal creates a CRD for sealed secret that can be safely pushed to the
repository.
When the CRD Is applied in the cluster, controller unseals it using the private
key and creates a secret resource in the defined namespace.
How to use sealed secrets?
Sealed
Secrets
Controller
Public Key
Private Key
Applied to K8s
cluster
Decrypts the
sealed secret
using private key
Creates a secret
resource
MANIFEST

18. DEMO

19. Thank You !
Get in touch with us:
vidushi.bansal@knoldus.com