5. 5
Kubernetes Secrets
How do they look like?
Kubernetes Secrets are native Resource Definitions designed to hold secret data.
But they are not encrypted, they need to be ready to be consumed by Pods.
7. 7
Kubernetes Secrets
Types
Secret Type Use case
Opaque Arbitrary user-defined secrets, as in previous example.
kubernetes.io/service-account-token ServiceAccount token
kubernetes.io/dockercfg Serialized ~/.dockercfg file
kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file
kubernetes.io/basic-auth Credentials for basic authentication
kubernetes.io/ssh-auth Credentials for SSH authentication
kubernetes.io/tls Data for a TLS client or server
bootstrap.kubernetes.io/token Bootstrap token data
10. 10
15+ years building and maintaining software packages
Bitnami is a Catalog of Free Open-Source Software
Local Cloud Data Center
Over 180 applications, components, frameworks, templates, and more, including…
Any Environment Any Format Any Platform
Virtual Machines Containers Deployment
Templates
11. 11
Sealed Secrets as an OSS project
Main features
Sealed Secrets CLI (kubeseal) to
seal Kubernetes Secrets.
The Sealed Secrets controller
unseals Sealed Secrets into their
equivalent Kubernetes Secrets.
Sealed Secrets can be stored
safely in the code repository,
next to the rest of deployment
configuration.
Kubeseal - CLI tool Kubernetes controller Code repository
Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
12. 12
Key metrics
Sealed Secrets as an OSS project
7K GitHub stars 200M monthly
downloads in
DockerHub
+10K OSS
projects using
Sealed Secrets
902 Pull
Requests
461 solved
issues
13. 13
Sealed Secrets as an OSS project
Sealed Secrets is downloaded 100x times
more often than other key applications on
the security ecosystem.
More metrics
18. 18
Secret management best practices
General advice
Rotate Secrets
Remember to rotate
your secrets often,
so no need to worry
about re-sealing
them.
Least privilege
Follow the least
privilege principle
on secret access,
reduce blast radius.
Don't leak your keys
The less you share
or copy them
around the better.
19. 19
Key Management
Under the hood
kubeseal ${SECRET}
Sealed
Secret
Git
sealed-secrets controller
Older
TLS
Sealing
Secret
TLS
Sealing
Secret
Kubernetes cluster
etcd node
Create
Keep
● Key pairs are plain TLS secrets named sealed-secrets-...
○ They are managed by Sealed Secrets so you don't need to.
Certificate
/ pub key
20. 20
Sometimes, defaults don't cut
it or something doesn't go as
planned
Compromised unseal key
You must move the controller to a new sealing keypair.
Then rotate your secrets, they are also compromised.
Taking over secrets
You can annotate sealed secrets to control existing
secrets.
Updating secrets
kubeseal allows you to update or append sealed secrets
keys.
Offline certs
By default kubeseal uses the latest cluster sealing
certificate for you. But you can set a certificate to be used
offline, if you really need to.
Advanced features
Use as needed
21. 21
It might be difficult to realize
how simple and safe the
basic flow is…
…Until you compare with
other flows enabled by
advanced features or
options.
Scoping
Secrets are sealed for a particular secret name and
namespace by default.
Relaxing scoping means cluster neighbours can take a
peek.
Re-sealing
Sealing keys are renovated every 30 days by default, but
old keys are kept.
But you can reseal the same secret again with the newer
sealing key, if needed. Still why would you need it if you
were rotating your secrets as you should?
Sealing keys are just secrets
You can manage them on the side, but should you?
Advanced features
Use with caution!
28. 28
Standalone Sealed Secrets are
good, with GitOps friends they’re
even better!
The best practice with Sealed
secrets is to stick to its default
flow.
Favour simple approaches
Automate Everything
Beyond Sealed Secrets
Parting words
kubeseal ${SECRET}
Sealed
Secret
Git
sealed-secrets controller
kube-apiserver
Sealed
Secret
Secret
Kubernetes cluster
etcd node
kubectl apply
Detect
Sealed Secrets
Decrypt
Secret