Quick Definition (30–60 words)
Sealed Secrets is a cryptographic pattern and tooling for encrypting Kubernetes Secret manifests so they can be safely stored in Git and deployed via GitOps. Analogy: like sealing a letter in tamper-evident wax so anyone can store it but only the recipient can read it. Formally: asymmetric encryption of secret objects with a controller that decrypts into cluster-native Secrets.
What is Sealed Secrets?
Sealed Secrets is a Git-friendly approach to managing secrets for cloud-native applications, most commonly implemented by the Kubernetes Sealed Secrets controller. It is NOT a general-purpose secret vault or a secret rotation system by itself. Instead, it provides an encrypted representation of Kubernetes Secret manifests (a “sealed secret”) that can be committed to version control without exposing plaintext.
Key properties and constraints:
- Asymmetric encryption: clients use a public key to create sealed payloads; only the controller with the private key can decrypt.
- GitOps friendly: encrypted objects are safe to store in Git and can be reconciled by standard GitOps tools.
- Cluster-scoped or namespace-scoped keys: behavior varies by implementation; some installations support per-cluster keys.
- No built-in rotation orchestration: rotation requires re-sealing or operator support.
- Secrets become Kubernetes Secret resources after unsealing; lifecycle thereafter follows Kubernetes semantics.
- Not a replacement for secret management systems needing dynamic credentials, short-lived tokens, or full lifecycle policies.
Where it fits in modern cloud/SRE workflows:
- Source-of-truth: allows Git to remain the canonical store for application manifests, including secrets, while keeping them encrypted.
- CI/CD: CI pipelines can seal secrets using the public key, enabling automated deployments without exposing secrets.
- Multi-cluster operations: supports storing sealed manifests centrally and distributing them to clusters that hold the private key.
- Security boundary: reduces risk of accidental leakage from repos but requires secure private key handling and rotations.
Diagram description (text-only):
- Developer creates plaintext secret on laptop -> Uses cluster public key to encrypt -> Commits sealed secret YAML to Git -> GitOps system syncs to cluster -> Sealed Secrets controller detects sealed object -> Controller decrypts with cluster private key -> Controller creates/upserts Kubernetes Secret in target namespace -> Application reads Secret.
Sealed Secrets in one sentence
Sealed Secrets lets you safely store encrypted Kubernetes Secret manifests in Git and have a controller unseal them into cluster-native Secrets using a private key only the cluster holds.
Sealed Secrets vs related terms (TABLE REQUIRED)
| ID | Term | How it differs from Sealed Secrets | Common confusion |
|---|---|---|---|
| T1 | Secret_manager | Centralized runtime secret store, not Git-native | Confused as replacement for vault |
| T2 | KMS | Key storage and cryptographic primitives, not Git objects | People expect automatic sealing |
| T3 | Vault | Dynamic secrets and leasing, not static sealed YAML | Confused about rotation features |
| T4 | Sops | File encryption tool, can target many formats | People think it’s the same workflow |
| T5 | GitCrypt | Repo-level encryption, not per-secret Kubernetes aware | Assumed equivalent to per-object sealing |
| T6 | Helm secrets | Template-layer secret handling, not strong asymmetric model | Mistaken for cluster unseal workflow |
| T7 | ExternalSecrets | Pulls from external stores, not Git-first | Confused with sealed-secrets push model |
| T8 | Kustomize secretGenerator | Generates secrets at build time, plaintext risk | Misused as a secure alternative |
| T9 | SealedSecretsController | The controller that unseals, sometimes conflated with the pattern | People use name interchangeably with project |
Row Details
- T1: Secret_manager refers to cloud secret stores that serve runtime apps via APIs. They offer rotation and access controls; Sealed Secrets stores encrypted YAML in Git and provides no runtime API.
- T2: KMS often stores keys used by sealing tools; Sealed Secrets uses asymmetric keys but depends on KMS for HSM-backed storage if integrated.
- T3: Vault manages dynamic credentials and leases; Sealed Secrets provides static secret delivery—rotation requires additional processes.
- T4: Sops encrypts files using multiple key backends; Sealed Secrets produces Kubernetes-specific sealed objects and includes a runtime unsealer.
- T7: ExternalSecrets pulls secrets from vault-like systems at runtime; Sealed Secrets unseals into Kubernetes Secrets in-cluster.
Why does Sealed Secrets matter?
Business impact:
- Reduces exposure risk of secrets in code repositories, lowering fraud or breach probabilities that could impact revenue and trust.
- Helps maintain compliance posture by enabling auditable commit histories without plaintext secrets.
Engineering impact:
- Decreases manual secret propagation toil and the number of emergency secret rotations due to accidental commits.
- Enables faster CI/CD pipelines because secrets can be sealed and stored with manifests, improving deployment velocity.
SRE framing:
- SLIs/SLOs: availability of secrets as a dependency for app start is critical; mismanaged sealed secrets can lead to incidents.
- Error budgets: secret-related incidents should be tracked and consumed against the platform’s error budget.
- Toil reduction: automating sealing and key management reduces repetitive tasks and on-call interrupts.
- On-call: operators must own the private key and rotation processes; incidents may require key recovery procedures.
Realistic production break examples:
- Private key lost or corrupted -> No new Secrets can be created; deploys fail.
- Sealed manifests committed with wrong namespace -> Controller unseals into wrong namespace causing config drift.
- Sealed object malformed by CI -> Controller rejects it, causing failed rollouts.
- Stale sealed secrets after secret rotation in external systems -> Services use old credentials and start failing authentication.
- Excessive access to controller private key stored insecurely -> Wide blast radius from compromised cluster key.
Where is Sealed Secrets used? (TABLE REQUIRED)
| ID | Layer/Area | How Sealed Secrets appears | Typical telemetry | Common tools |
|---|---|---|---|---|
| L1 | Edge | Sealed TLS keys for ingress proxies | Ingress error rates, TLS handshake fails | nginx, envoy, cert-manager |
| L2 | Network | Sealed certs for mutual TLS between services | mTLS failures, auth errors | Istio, Linkerd |
| L3 | Service | App credentials stored as Kubernetes Secrets | Pod start failures, auth errors | Kubernetes, Helm |
| L4 | Application | Config values encrypted in manifests | Config mismatch alerts, rollout fails | GitOps tools, Kustomize |
| L5 | Data | DB credentials sealed in Git | DB connection errors, query failures | Postgres, MySQL operators |
| L6 | Cloud infra | Sealed keys for cloud API access in infra manifests | API auth failures, failed infra tasks | Terraform, Crossplane |
| L7 | CI/CD | Sealed secrets used in pipelines for deployment | Pipeline job failures, secret inject errors | GitHub Actions, Jenkins |
| L8 | Serverless | Encrypted env vars for managed functions | Function auth failures, cold-start errors | Managed PaaS, FaaS platforms |
| L9 | Observability | API tokens for monitoring agents sealed | Telemetry gaps, missing metrics | Prometheus, Datadog |
| L10 | Security | Keys for security tooling stored sealed | Alerting failures, signature errors | Scanners, policy engines |
Row Details
- L1: Edge TLS keys are sealed so ingress controllers obtain plaintext only in-cluster; rotation must manage certificate lifetimes.
- L6: When using infra-as-code, sealed secrets can store provider credentials; consider least privilege and ephemeral tokens.
- L8: For serverless, managed PaaS may not run a Sealed Secrets controller; pattern varies — sometimes use CI to inject env vars during deployment.
When should you use Sealed Secrets?
When it’s necessary:
- You want Git to be the single source of truth for both manifests and secrets.
- Teams rely on GitOps workflows and need encrypted secrets committable to repositories.
- Offline or air-gapped clusters that cannot reach external vaults require in-repo secret distribution.
When it’s optional:
- Small teams with centralized secret stores and short-lived access patterns may prefer a vault or KMS.
- When you already have robust dynamic secret management and retrieval at runtime.
When NOT to use / overuse it:
- Not ideal for high-frequency rotation or dynamic credentials that must be short-lived.
- Avoid using Sealed Secrets as the only security boundary—do not assume it replaces runtime access controls or audit trails.
- Do not use for secrets that require immediate revocation across many clusters without an automated rotate-and-deploy mechanism.
Decision checklist:
- If you use GitOps and need encrypted manifests -> Use Sealed Secrets.
- If you need dynamic secrets with leases and rotation -> Use a dedicated secret manager or ExternalSecrets.
- If clusters are managed and private keys cannot be secured -> Reconsider or build additional key management.
Maturity ladder:
- Beginner: Manually seal secrets with the cluster public key and commit to Git. Basic controller deployment, single cluster.
- Intermediate: CI seals secrets; multi-team repos with namespace scoping and documented rotation process.
- Advanced: Automated key rotation, HSM/KMS-backed private key storage, multi-cluster orchestration, audit pipelines, and integration with policy engines.
How does Sealed Secrets work?
Components and workflow:
- Public/private keypair: Generated and managed by the controller; public key exported for sealing clients.
- Sealing client: CLI or library that takes plaintext Secret YAML and produces a sealed object.
- Git: Sealed objects are stored as regular YAML files.
- GitOps / Sync: Repo committed changes are synced into the cluster.
- Controller: Detects sealed resources, decrypts them with private key, and creates/upserts native Kubernetes Secrets.
- Access controls: Kubernetes RBAC governs who can access resulting Secrets.
- Rotation: Requires re-sealing or private key rotation; behavior varies by controller.
Data flow and lifecycle:
- Author creates plaintext secret -> Sealer uses public key -> Encrypted sealed secret stored in Git -> Controller unseals -> Kubernetes Secret created -> Application uses secret -> Secret lifecycle is managed by Kubernetes.
Edge cases and failure modes:
- Controller private key compromise: All sealed objects can be decrypted.
- Public key mismatch: Clients seal with wrong public key; controller fails to decrypt.
- Deleted private key: New sealed secrets cannot be unsealed; existing Secrets remain if not deleted.
- Large secret sizes or binary data: Some implementations have size limits or encoding overhead.
Typical architecture patterns for Sealed Secrets
- Single-cluster GitOps: One repo per cluster with sealed secrets encrypted with that cluster’s public key. Use when clusters are isolated and ownership is per-cluster.
- Central repo, per-cluster keys: Centralized manifests sealed multiple times or using multiple keys; useful for multi-cluster deployments with separate private keys.
- CI-sealed pipeline: CI pipeline has public key and seals secrets automatically during build; good when non-developers inject secrets via UI or pipeline.
- KMS-backed private key: Controller uses KMS/HSM to store private key; improves security posture for large orgs.
- Hybrid: Use Sealed Secrets for static credentials and ExternalSecrets/Vault for dynamic runtime credentials.
Failure modes & mitigation (TABLE REQUIRED)
| ID | Failure mode | Symptom | Likely cause | Mitigation | Observability signal |
|---|---|---|---|---|---|
| F1 | Controller key loss | New secrets fail to unseal | Private key deleted or rotated improperly | Restore key from backup or re-seal secrets | Seal/unseal errors in controller logs |
| F2 | Key compromise | Unauthorized decryption of sealed YAML | Private key exfiltrated | Rotate key and re-seal, revoke compromised resources | Unexpected reads of private key store |
| F3 | Wrong public key | Seal fails or unseal errors | Client used wrong public key | Provide correct key, re-seal artifacts | Mismatch error in controller events |
| F4 | Malformed sealed YAML | Controller rejects resource | CI or editor corrupted file | Fix file format, validate schema before commit | Admission or controller rejection events |
| F5 | RBAC leak | Apps read secrets they shouldn’t | Over-permissive roles | Tighten RBAC, use namespaces and policies | Audit logs show unexpected secret reads |
| F6 | Large secret size | Failures storing or unsealing | Size limits or base64 issues | Chunk or compress secrets, test limits | Resource rejections and quota alerts |
| F7 | Secret drift | Deployed secret differs from intended | Manual edits in cluster or sync issues | Enforce GitOps reconciliation, block manual edits | Drift alerts from reconcilers |
Row Details
- F1: Backup strategy should include exporting private key and storing in secure KMS or offline vault; test key restoration regularly.
- F2: Key rotation must include re-sealing of all active secrets and coordinated deploys to avoid downtime.
- F5: Regular audits of RBAC and use of policy tools reduce lateral access to Secrets.
Key Concepts, Keywords & Terminology for Sealed Secrets
(This glossary includes 40+ terms. Each term is followed by a 1–2 line definition, why it matters, and a common pitfall.)
- Sealed Secret — Encrypted Kubernetes Secret manifest created using a public key — Enables Git storage of secrets — Pitfall: assuming it’s runtime vault.
- Sealed Secrets Controller — In-cluster component that decrypts sealed objects — Responsible for unsealing — Pitfall: single point of failure if key mismanaged.
- Public key — Key used to encrypt sealed secrets — Distributed to clients — Pitfall: mismatch with controller key.
- Private key — Only key that can decrypt sealed objects — Must be securely stored — Pitfall: loss blocks unseal operations.
- GitOps — Workflow where Git is the source of truth — Integrates with sealed secrets for manifests — Pitfall: storing plaintext accidentally.
- Kubernetes Secret — Native Kubernetes object for sensitive data — Target of unsealing — Pitfall: accidental broad RBAC access.
- Asymmetric encryption — Encryption using keypair — Enables public sealing — Pitfall: complexity in rotation.
- Symmetric encryption — Single shared key encryption — Less common for sealed secrets — Pitfall: key distribution problems.
- Key rotation — Process of replacing keys securely — Reduces long-term risk — Pitfall: incomplete re-sealing.
- HSM — Hardware security module for key protection — Improves key security — Pitfall: cost and integration effort.
- KMS — Cloud key management service — Can back private key storage — Pitfall: availability dependencies.
- CI sealing — Automating sealing step in CI pipelines — Prevents manual mistakes — Pitfall: CI needs access to public key and secret inputs.
- Git repo — Storage for sealed YAMLs — Central to GitOps — Pitfall: inadequate repo access controls.
- Namespace scoping — Limiting unseal to a namespace — Improves isolation — Pitfall: mis-scoped sealed secret lands wrong place.
- Multi-cluster keys — Different clusters use different private keys — Limits blast radius — Pitfall: operational complexity.
- Re-sealing — Creating a new sealed object with a new key — Needed during rotation — Pitfall: forgetting to deploy re-sealed objects.
- Audit logs — Logs showing secret lifecycle events — Critical for compliance — Pitfall: secrets may be present in logs if misconfigured.
- RBAC — Kubernetes role-based access control — Controls who reads secrets — Pitfall: overly permissive roles.
- Admission controller — Kubernetes hook for validating objects — Can reject improper sealed secrets — Pitfall: misconfiguration blocks deploys.
- Git commit history — Tracks changes including sealed YAMLs — Useful for auditing — Pitfall: assumes sealed data is safe forever.
- Secret-binding — Association between sealed secret and resulting Secret — Impacts lifecycle — Pitfall: misnaming breaks binding.
- Secret rotation automation — Scripts or controllers to rotate secrets — Reduces downtime — Pitfall: race conditions during swap.
- Immutable secrets — Marking Secrets immutable in Kubernetes — Prevents accidental updates — Pitfall: blocks intended updates.
- Secret leak — Exposure of plaintext secret — Primary risk being mitigated — Pitfall: assuming sealed solves all leaks.
- Drift detection — Detecting divergence between Git and cluster state — Ensures consistency — Pitfall: ignoring reconciler alerts.
- Controller health — Readiness/liveness of sealed-secret controller — Critical SRE metric — Pitfall: no alerting on controller failure.
- Backup and restore — Exporting keys and objects for recovery — Essential for disaster recovery — Pitfall: insecure backup storage.
- Secret lifecycle — Creation, rotation, deletion of secrets — Needs orchestration — Pitfall: orphaned Secrets remain after decommission.
- Encrypted YAML — File format storing sealed data — Git-friendly — Pitfall: editors can corrupt encoding.
- Policy as code — Enforcing secret rules in CI or admission controllers — Prevents misuse — Pitfall: overly restrictive rules.
- ExternalSecrets — Pattern to sync runtime secrets from vaults — Alternative to sealed technique — Pitfall: mixing patterns without coordination.
- SOPS — Encryption tool for files with multiple backends — Alternative for file encryption — Pitfall: different workflow expectations.
- Helm Secrets — Plugin strategy for encrypting Helm values — Overlaps but not identical — Pitfall: expecting controller unseal.
- Secret size limit — Practical limit for secret payloads — Affects large certs or bundles — Pitfall: failing large binary secrets.
- Binary secrets — Non-text data handled via base64 — Must be validated — Pitfall: encoding errors.
- Encryption algorithm — Underlying cipher used by sealed secrets — Determines security level — Pitfall: using deprecated ciphers.
- Minimal privilege — Principle applied to key and secret access — Reduces blast radius — Pitfall: unclear ownership.
- Secret sync lag — Delay between commit and unseal -> Secret creation — Affects deployments — Pitfall: long reconciliation times.
- Cross-namespace secrets — Secrets intended to be used across namespaces — Requires design — Pitfall: violating isolation.
- Operational playbook — Runbook for secret incidents — Improves response time — Pitfall: stale or untested playbooks.
- Secret validation — CI or admission step to check sealed YAMLs — Prevents malformed commits — Pitfall: missing validations.
- Encryption metadata — Additional info stored in sealed object — Important for decryption logic — Pitfall: metadata corruption.
- Service account access — Pods need rights to read Secrets — Key access vector — Pitfall: leaked service account tokens.
How to Measure Sealed Secrets (Metrics, SLIs, SLOs) (TABLE REQUIRED)
This section recommends practical SLIs, how to compute them, and starting SLO guidance.
| ID | Metric/SLI | What it tells you | How to measure | Starting target | Gotchas |
|---|---|---|---|---|---|
| M1 | Seal-to-deploy latency | Time from sealed commit to Secret available | Time between Git commit and Secret creation event | < 5 minutes | See details below: M1 |
| M2 | Unseal success rate | Percentage of sealed objects successfully unsealed | Successful unseal count / total sealed objects | 99.9% per month | — |
| M3 | Controller availability | Controller uptime | Pod readiness and liveness metrics | 99.95% monthly | — |
| M4 | Key restoration time | Time to restore private key from backup | Time from incident to key restore | < 4 hours | See details below: M4 |
| M5 | Secret error rate | Errors during unsealing or secret creation | Error logs / events per minute | < 0.1% requests | — |
| M6 | Secret drift incidents | Number of drift events detected | Reconcilers reporting manual edits | 0 or near-zero | — |
| M7 | Unauthorized secret reads | Suspicious access attempts | Audit logs for secret reads by unexpected principals | 0 per month | See details below: M7 |
| M8 | Re-seal coverage | Percent of active secrets re-sealed after key rotation | Re-sealed secrets / impacted secrets | 100% within window | — |
| M9 | CI seal failures | CI jobs failing to seal | CI job failure rates for sealing steps | < 1% | — |
| M10 | Secrets size distribution | Helps spot large secrets | Histogram of Secret sizes | N/A baseline per team | — |
Row Details
- M1: Compute by capturing Git commit timestamp and the Kubernetes Secret creation event timestamp. Instrument GitOps reconciler and controller events. Measure per-repo and per-cluster.
- M4: Document backup/restore procedures and time each step in drills to produce an empirical target.
- M7: Map normal readers for Secrets; anomalous reads might indicate compromise or misconfigured RBAC.
Best tools to measure Sealed Secrets
Use the exact structure for each tool.
Tool — Prometheus + Grafana
- What it measures for Sealed Secrets: Controller metrics, unseal durations, error counters, pod health.
- Best-fit environment: Kubernetes clusters with Prometheus operator.
- Setup outline:
- Expose controller Prometheus metrics endpoint.
- Configure Prometheus scrape targets.
- Build Grafana dashboards from metrics.
- Add alerts via Alertmanager.
- Strengths:
- Flexible query and dashboarding.
- Wide adoption in Kubernetes ecosystems.
- Limitations:
- Requires instrumenting the controller.
- Alert tuning and alert fatigue.
Tool — Loki / Fluentd logging stack
- What it measures for Sealed Secrets: Controller and reconciler logs for errors and events.
- Best-fit environment: Centralized logging in Kubernetes.
- Setup outline:
- Route controller logs to centralized store.
- Parse for unseal errors and key events.
- Create alerts for error spikes.
- Strengths:
- Good for troubleshooting.
- Retains historical logs for postmortems.
- Limitations:
- Log volume and storage costs.
- Requires proper parsing and labels.
Tool — Cloud KMS / HSM telemetry
- What it measures for Sealed Secrets: Key access and lifecycle events when private key stored in KMS.
- Best-fit environment: Cloud provider clusters using KMS.
- Setup outline:
- Enable key audit logs.
- Monitor access, failed decrypts, and rotations.
- Integrate alerts for anomalous access.
- Strengths:
- Strong key protection and audit trail.
- Centralized key policies.
- Limitations:
- Varies by cloud provider and latency dependency.
Tool — GitOps reconciler metrics (ArgoCD/Flux)
- What it measures for Sealed Secrets: Time-to-sync, commit to cluster state and reconciliation errors.
- Best-fit environment: GitOps-driven deployments.
- Setup outline:
- Expose reconciler metrics to Prometheus.
- Track sync times and failures related to sealed secrets.
- Strengths:
- Direct visibility into commit-to-deploy workflow.
- Helps measure seal-to-deploy latency.
- Limitations:
- May need instrumentation to correlate with controller events.
Tool — Audit log analytics (ELK or cloud-native)
- What it measures for Sealed Secrets: Secret read/write operations and anomalous access patterns.
- Best-fit environment: Compliance-driven orgs needing forensic data.
- Setup outline:
- Route Kubernetes audit logs to analytics platform.
- Build queries for secret access patterns.
- Strengths:
- Good for security monitoring and compliance.
- Limitations:
- High data volume; requires tuning to avoid noise.
Recommended dashboards & alerts for Sealed Secrets
Executive dashboard:
- High-level metrics: controller availability, seal-to-deploy median latency, total sealed secrets, number of clusters with key issues.
- Why: provides leadership a quick view of platform health and business risk.
On-call dashboard:
- Panels: controller pod health, unseal error rate per namespace, recent failed unseal events, key rotation status, GitOps sync latency.
- Why: targeted for immediate troubleshooting and incident response.
Debug dashboard:
- Panels: raw controller logs, last 50 unseal events, per-secret latency timeline, per-cluster key status, CI seal job history.
- Why: helps engineers debug specific instances quickly.
Alerting guidance:
- Page vs ticket:
- Page (P1/P0) for controller unavailability affecting many deployments, private key compromise, or inability to unseal across cluster.
- Ticket for single sealed YAML failures or non-critical CI seal failures.
- Burn-rate guidance:
- If seal-to-deploy latency increases or unseal success rate drops in a short window, apply burn-rate thresholds analogous to SLO burn policy.
- Noise reduction tactics:
- Group similar unseal errors into one alert, dedupe by resource, suppress transient CI job flakiness, and use alert deduplication by reconciler ID.
Implementation Guide (Step-by-step)
1) Prerequisites – Kubernetes cluster with RBAC and audit logs enabled. – GitOps workflow or CI/CD pipeline in place. – Backup solution and KMS/HSM if using KMS-backed private key. – Team ownership and documented runbooks.
2) Instrumentation plan – Expose controller metrics and instrument key events. – Enable Kubernetes audit logs for Secret access. – Instrument GitOps sync metrics and CI sealing steps.
3) Data collection – Centralize logs and metrics into observability stack. – Store key access logs in KMS or auditing system. – Collect CI sealing traces for failures and performance.
4) SLO design – Define SLOs from SLIs in the measurement table (e.g., unseal success rate 99.9%). – Decide error budget and escalation policy tied to SRE practices.
5) Dashboards – Build executive, on-call, and debug dashboards as described. – Add drill-down links from exec to on-call and debug dashboards.
6) Alerts & routing – Configure Alertmanager or equivalent for critical alerts. – Define paging and on-call rotation for platform owners. – Integrate alert routing with incident management.
7) Runbooks & automation – Create runbooks for key incidents: key loss, key compromise, controller failures. – Automate common tasks: re-sealing, re-deploying controller, restoring keys.
8) Validation (load/chaos/game days) – Run periodic drills to delete controller pods, rotate keys, and restore from backups. – Execute game days for secret rotation and rollback scenarios.
9) Continuous improvement – Track incidents, refine SLOs, and implement automation to reduce toil. – Weekly reviews of failed seal/unseal events and CI failure modes.
Checklists:
Pre-production checklist:
- Public key distribution validated.
- CI sealing steps tested with sample secrets.
- Dashboards configured for basic metrics.
- Backup for private key stored securely.
- Admission webhooks or validations in place.
Production readiness checklist:
- Controller HA configured and monitored.
- RBAC policies audited for least privilege.
- Key rotation and restore playbooks tested.
- Alerting thresholds validated via load tests.
- Audit logging and retention policies set.
Incident checklist specific to Sealed Secrets:
- Verify controller pod health and logs.
- Check private key presence and KMS status.
- Confirm GitOps reconciler is syncing sealed manifests.
- Look for recent commits that may have broken sealed YAMLs.
- If key compromise suspected, begin rotation and re-seal plan immediately.
Use Cases of Sealed Secrets
Provide 8–12 use cases with context, problem, why it helps, what to measure, typical tools.
-
Environment: Multi-tenant Kubernetes platform – Problem: Distributing tenant-specific DB passwords centrally while keeping Git as single source. – Why Sealed Secrets helps: Enables storing tenant credentials in the tenant repo encrypted per-cluster. – What to measure: Unseal success rate and unauthorized reads. – Typical tools: GitOps, Sealed Secrets controller, Prometheus.
-
Environment: CI/CD pipelines requiring deploy-time secrets – Problem: CI needs credentials to deploy but team can’t distribute plaintext. – Why Sealed Secrets helps: CI can seal secrets before committing without private key access. – What to measure: CI seal job failure rate and seal-to-deploy latency. – Typical tools: GitHub Actions, Sealed Secrets CLI.
-
Environment: Air-gapped cluster deployments – Problem: No external vault access for secret distribution. – Why Sealed Secrets helps: Encrypted YAML can be transferred via secure channels and unsealed only in-cluster. – What to measure: Key restoration time and unseal success. – Typical tools: Sealed Secrets, offline key backup.
-
Environment: Managing TLS certificates for ingress – Problem: Need to store TLS private keys safely in config repos. – Why Sealed Secrets helps: Sealed certs prevent exposure in Git while enabling automated deployments. – What to measure: TLS handshake errors and secret size issues. – Typical tools: Ingress controllers, Sealed Secrets.
-
Environment: SaaS multi-region deployments – Problem: Different clusters require region-specific API keys. – Why Sealed Secrets helps: Central repo can contain sealed variants per region or sealed with per-cluster keys. – What to measure: Number of mis-scoped secrets and deployment failures. – Typical tools: GitOps, per-cluster key management.
-
Environment: Bootstrap of developer environments – Problem: Developers need secrets in local clusters without copying production credentials. – Why Sealed Secrets helps: Dev secrets can be sealed with a dev key and stored in dev branch. – What to measure: Dev environment failures and seal misuse. – Typical tools: Local Kubernetes, Sealed Secrets CLI.
-
Environment: Operator-managed apps requiring credentials – Problem: Operators manage resources but need to provide secrets to CRDs safely. – Why Sealed Secrets helps: Operators can reference sealed secrets which the controller unseals. – What to measure: Operator reconcile failures and unseal errors. – Typical tools: Custom controllers, Sealed Secrets.
-
Environment: Regulatory compliance for code repositories – Problem: Need auditable code history without exposing secrets. – Why Sealed Secrets helps: Encrypted secrets in Git preserve commits while complying with controls. – What to measure: Audit log completeness and secret leak incidents. – Typical tools: Git providers, Sealed Secrets.
-
Environment: Disaster recovery manifests – Problem: Recovery manifests include credentials needed to restore services. – Why Sealed Secrets helps: Committed encrypted recovery manifests that can be transported and unsealed only in designated clusters. – What to measure: Key restore time and validation success. – Typical tools: Backup toolchain, Sealed Secrets.
-
Environment: Hybrid infra with Terraform and Kubernetes – Problem: Terraform and K8s manifests need shared creds safely represented. – Why Sealed Secrets helps: Kubernetes secrets managed via sealed YAML while Terraform uses other providers; integrate via CI. – What to measure: Cross-tool credential mismatch rates. – Typical tools: Terraform, GitOps, Sealed Secrets.
Scenario Examples (Realistic, End-to-End)
Scenario #1 — Kubernetes: Multi-namespace GitOps with per-namespace secrets
Context: Platform team runs a GitOps repo per environment with many namespaces for apps.
Goal: Store app credentials in repo without exposing plaintext and ensure correct namespace binding.
Why Sealed Secrets matters here: Enables encrypted manifests committable to the repo and unsealed only in the target namespace.
Architecture / workflow: Developers seal secrets with cluster public key, commit to app folder that maps to specific namespace, GitOps syncs, controller unseals and creates Secret in namespace.
Step-by-step implementation:
- Install Sealed Secrets controller in cluster with HA.
- Export public key for the cluster.
- Developers run seal CLI providing namespace metadata and create sealed YAML.
- Commit sealed YAML to Git under folder matching namespace.
- GitOps reconciler syncs; controller unseals and creates Secret.
- Application reads Secret via mounted volume or env var.
What to measure: Unseal success rate, namespace mis-scope incidents, seal-to-deploy latency.
Tools to use and why: Sealed Secrets CLI, ArgoCD/Flux, Prometheus for metrics.
Common pitfalls: Sealing with wrong namespace metadata, insufficient RBAC creating leakage.
Validation: Run a deploy with a sample sealed secret and validate Secret exists in correct namespace.
Outcome: Secrets are stored in Git safely and apps receive needed credentials without plaintext exposure.
Scenario #2 — Serverless / Managed-PaaS: Sealed Secrets for deployment env vars
Context: A team deploys serverless functions using a managed PaaS that reads Kubernetes Secret objects for configuration.
Goal: Keep env vars and API keys encrypted in source control while automating deploys.
Why Sealed Secrets matters here: Allows CI to commit sealed secrets that get unsealed in the target cluster and consumed by the serverless platform.
Architecture / workflow: CI seals env var values using public key; GitOps deploys; controller unseals and platform picks up the Secret for functions.
Step-by-step implementation:
- CI gathers env variables from secure input.
- Seal env secrets via public key in CI.
- Commit sealed YAML to repo and create PR for deployment.
- GitOps syncs and controller unseals.
- Managed platform binds Secrets to functions.
What to measure: CI seal failure rate, function auth errors, unseal latency.
Tools to use and why: Sealed Secrets, CI system, platform operator.
Common pitfalls: Managed PaaS may not support Secret formats expected; confirm integration.
Validation: Deploy test function and validate env values are present and correct.
Outcome: Encrypted env vars kept in Git and available for serverless workloads.
Scenario #3 — Incident-response / Postmortem: Private key compromise
Context: An operator detects suspicious access to cluster private key store.
Goal: Contain the incident, rotate keys, and ensure no service disruption.
Why Sealed Secrets matters here: Private key compromise undermines the confidentiality of sealed objects stored in multiple repos.
Architecture / workflow: Controller with KMS-backed key; revocation and rotation plan executed.
Step-by-step implementation:
- Identify scope via KMS audit logs and cluster audit logs.
- Initiate key rotation: generate new key, deploy controller with new key, export new public key.
- Re-seal all active secrets with new public key via automated scripts.
- Redeploy sealed YAMLs and validate unsealing and service auth.
- Investigate and update incident report and controls.
What to measure: Time to rotate and re-seal, number of secrets re-sealed, successful re-deploys.
Tools to use and why: KMS/HSM logs, CI/script automation, observability tools.
Common pitfalls: Missing a sealed object leads to service failures; need comprehensive inventory.
Validation: Run post-rotation checks to confirm all services authenticate successfully.
Outcome: Key rotated, repos re-sealed, and services restored with reduced risk.
Scenario #4 — Cost/Performance trade-off: Large certificate bundles stored as sealed secrets
Context: Platform stores many large certificate chains and private keys required by ingress controllers.
Goal: Optimize storage and performance while keeping certificates secure in Git.
Why Sealed Secrets matters here: Encrypted certs can be committed to Git but large sizes may impact controller and GitOps performance.
Architecture / workflow: Certificates sealed and stored; controller unseals into Secrets referenced by ingress controllers.
Step-by-step implementation:
- Audit certificate size and count.
- Decide policy: store full chains or references to external store.
- Test sealing and unsealing for large payloads.
- If necessary, chunk or compress certificates before sealing.
- Monitor reconciliation latency and Git repo size.
What to measure: Seal/unseal latency for large objects, Git repo growth, controller memory usage.
Tools to use and why: Sealed Secrets, compression tools, observability stack.
Common pitfalls: Exceeding controller payload limits and causing unseal failures.
Validation: Performance test with representative load; measure latency and memory.
Outcome: Balanced approach reducing repo bloat and preserving security.
Common Mistakes, Anti-patterns, and Troubleshooting
List of 20+ mistakes with symptom -> root cause -> fix.
- Symptom: Unseal errors in controller logs -> Root cause: Public key mismatch -> Fix: Distribute correct public key and re-seal objects.
- Symptom: New sealed secrets not unsealed -> Root cause: Private key missing or controller component down -> Fix: Restore private key or restart controller; check key mount.
- Symptom: Application failing auth after rotation -> Root cause: Secrets not re-sealed or re-deployed -> Fix: Re-seal secrets with new key and apply updates.
- Symptom: Secret read by unexpected pod -> Root cause: Overly broad RBAC or shared service account -> Fix: Restrict RBAC and use per-app service accounts.
- Symptom: CI job failing to seal -> Root cause: Missing or wrong public key in CI -> Fix: Verify key distribution and update CI secrets.
- Symptom: Large sealed objects rejected -> Root cause: Size limits or encoding errors -> Fix: Compress or chunk secrets, test encoding.
- Symptom: Frequent manual edits in cluster -> Root cause: Lack of GitOps enforcement -> Fix: Enforce reconciler to block manual changes and alert on drift.
- Symptom: Repo bloat with sealed files -> Root cause: Committing large or binary secrets repeatedly -> Fix: Use artifacts or external storage for big assets.
- Symptom: Alert fatigue on unseal warnings -> Root cause: No dedupe or grouping in alerts -> Fix: Aggregate alerts and tune thresholds.
- Symptom: Postmortem shows missed backup -> Root cause: No key backup practice -> Fix: Implement documented key backup and test restore.
- Symptom: Secrets present in logs -> Root cause: Logging plaintext or misconfigured log levels -> Fix: Scrub logs and enforce redaction.
- Symptom: Reconcile lag spikes -> Root cause: Heavy unseal throughput causing controller overload -> Fix: Scale controller or throttle commits.
- Symptom: Secret drift after re-seal -> Root cause: Partial re-seal rollout -> Fix: Automate re-seal across all repos and validate.
- Symptom: CI secrets leaked in PRs -> Root cause: Developers pasting plaintext before sealing -> Fix: Add pre-commit hooks and CI checks.
- Symptom: Multiple clusters using same private key -> Root cause: Single key shared across clusters -> Fix: Use per-cluster keys to limit blast radius.
- Symptom: Secret rotation causes downtime -> Root cause: No blue-green rotation strategy -> Fix: Implement rotation with phased rollout and feature flags.
- Symptom: Inconsistent secret formats -> Root cause: No schema validations -> Fix: Add CI validations and admission webhooks.
- Symptom: Controller pod OOM -> Root cause: Large number of sealed objects processed -> Fix: Increase resources and optimize memory usage.
- Symptom: Lack of audit entries for secret reads -> Root cause: Audit logging disabled or insufficient retention -> Fix: Enable and retain audit logs for required period.
- Symptom: Confusion about sealing tooling -> Root cause: Multiple sealing tools and inconsistent training -> Fix: Standardize on one toolchain and document patterns.
- Symptom: Secrets accidentally committed in plaintext -> Root cause: Lack of pre-commit checks -> Fix: Enforce pre-commit hooks and CI scans for secrets.
- Symptom: Unclear owner for key -> Root cause: No ownership defined -> Fix: Assign ownership and on-call for key lifecycle.
Observability pitfalls (at least five included above): missing audit logs, no metrics for controller health, incomplete log collection, no drift detection, and alert noise.
Best Practices & Operating Model
Ownership and on-call:
- Platform team owns controller availability and key lifecycle.
- Application teams own application Secrets and re-seal responsibilities.
- Define on-call rotations and an escalation policy for secret incidents.
Runbooks vs playbooks:
- Runbooks: step-by-step remediation actions for common incidents (e.g., private key restore).
- Playbooks: higher-level escalation and stakeholder notifications for security incidents.
Safe deployments:
- Canary sealed secret rollout: apply new Secret to a single namespace or replica set before global rollout.
- Rollback: store previous sealed versions and enable quick revert via Git.
Toil reduction and automation:
- Automate CI sealing for PR workflows.
- Automate inventory and re-seal on key rotation using scripts or GitOps jobs.
Security basics:
- Use KMS/HSM for private key backing where possible.
- Limit RBAC to minimal required principals.
- Encrypt backups storing private keys.
- Regularly rotate keys per organization policy.
Weekly/monthly routines:
- Weekly: review unseal failure logs and CI seal job failures.
- Monthly: test key restore, review RBAC policies, audit secret read events.
- Quarterly: practice rotation drills and run a game day.
Postmortem reviews related to Sealed Secrets:
- Review root cause of secret incidents, whether key mismanagement or operational errors.
- Document steps to avoid recurrence and update runbooks and dashboards accordingly.
Tooling & Integration Map for Sealed Secrets (TABLE REQUIRED)
| ID | Category | What it does | Key integrations | Notes |
|---|---|---|---|---|
| I1 | Controller | Unseals sealed objects in-cluster | Kubernetes, Helm, KMS | Controller must be monitored and backed up |
| I2 | CLI | Seals plaintext into sealed YAML | CI, Local dev | Distribute public key to clients |
| I3 | GitOps | Syncs repo to cluster | ArgoCD, Flux | Measures seal-to-deploy latency |
| I4 | KMS/HSM | Stores private keys securely | 云 KMS, HSM vendors | Improves key security and auditing |
| I5 | CI/CD | Automates sealing in pipelines | GitHub Actions, Jenkins | Needs keyless sealing or public key only |
| I6 | Logging | Centralizes controller logs | Loki, ELK | Used for troubleshooting unseal errors |
| I7 | Metrics | Exposes controller metrics | Prometheus | Measure availability and latency |
| I8 | Audit | Records secret reads and admin actions | Kubernetes audit, Cloud audit | Critical for security investigations |
| I9 | Policy | Enforces rules for sealed secrets | OPA/Gatekeeper | Prevents mis-scoped sealed objects |
| I10 | Backup | Stores keys and manifests for recovery | Backup solutions | Key backup must be encrypted and access-controlled |
Row Details
- I4: When using cloud KMS or HSM, ensure the controller is configured to call KMS for decrypt operations and verify latency impacts.
- I5: CI sealing should not require private key access; only public key is needed.
- I9: Policy engines can reject sealed secrets that don’t meet namespace or size policies.
Frequently Asked Questions (FAQs)
What is the difference between Sealed Secrets and Vault?
Sealed Secrets encrypts Kubernetes Secret manifests for storage in Git; Vault manages dynamic secrets and runtime access. They solve different parts of secret management.
Can I use Sealed Secrets for key rotation?
Sealed Secrets supports rotation but rotation orchestration is manual unless you automate re-sealing and redeploys; not automatic like some vault leases.
Is Sealed Secrets secure for production?
Yes when implemented with secure private key storage, RBAC, KMS/HSM backing, audit logging, and tested rotation processes.
What happens if the private key is lost?
New sealed secrets cannot be unsealed. Existing Secrets remain if not deleted. Recovery requires key restore from secure backup or re-sealing all secrets with a new key.
Can multiple clusters share the same private key?
They can, but this increases blast radius. Best practice is per-cluster or per-environment keys.
Does Sealed Secrets prevent runtime access risks?
No. It secures secrets at rest in Git; runtime access still relies on Kubernetes RBAC and pod/service account permissions.
How do I automate sealing in CI?
CI uses the public key to seal secrets; ensure CI jobs receive secret inputs securely and commit sealed YAMLs without requiring private key.
Are there size limits for sealed secrets?
Varies by implementation and Kubernetes limits; large binary secrets may require chunking or alternative storage.
Can I revoke a sealed secret stored in Git?
Revocation requires deleting the sealed YAML and removing/unsealing the Secret in-cluster; immediate revocation across clusters needs coordinated process.
How do I audit who accessed secrets?
Enable Kubernetes audit logs and KMS audit logs if using KMS-backed keys, and analyze access patterns through centralized logging.
Is Sealed Secrets compatible with Git submodules or monorepos?
Yes, sealed YAMLs are regular YAML files; ensure directory structure aligns with GitOps and CI expectations.
What are common troubleshooting steps when unseal fails?
Check controller logs, verify private key presence and permissions, ensure sealed object uses correct public key, validate YAML encoding.
How often should keys be rotated?
Varies / depends. Rotation cadence should be part of security policy and tested via drills.
Can I use Sealed Secrets with Helm or Kustomize?
Yes; you can seal values before packaging. Be mindful of templating and ensure sealed YAMLs are not templated in a way that corrupts encoding.
Is Sealed Secrets suitable for serverless platforms?
Often yes if the serverless platform consumes Kubernetes Secrets; otherwise consider platform-specific secret approaches.
What is the recovery plan for an air-gapped cluster?
Maintain offline backups of private keys and sealed manifests; test restore in an isolated environment to validate recovery.
Conclusion
Sealed Secrets is a practical, Git-friendly approach to securing Kubernetes Secrets in GitOps workflows. It reduces risk of accidental exposure, supports offline and air-gapped scenarios, and integrates well with CI/CD pipelines. However, it is not a full replacement for dynamic secret management and requires robust key management, monitoring, and tested rotation procedures.
Next 7 days plan:
- Day 1: Install controller in a sandbox cluster and export the public key.
- Day 2: Seal a few sample Secrets and commit them to a private repo; validate unseal flow.
- Day 3: Instrument controller metrics and centralize logs.
- Day 4: Add CI sealing step for one pipeline and test automated commits.
- Day 5: Draft runbooks for key loss, compromise, and rotation; schedule review.
- Day 6: Run a mini-game day: simulate controller pod failure and key restore.
- Day 7: Review RBAC and audit logs; set alerts for controller availability and unseal errors.
Appendix — Sealed Secrets Keyword Cluster (SEO)
Primary keywords
- Sealed Secrets
- Kubernetes sealed secrets
- Sealed Secrets controller
- GitOps secrets
- Encrypt Kubernetes secrets
- Sealed secret public key
- Sealed secret private key
- Sealed Secrets tutorial
Secondary keywords
- Git-friendly secrets
- Asymmetric encryption Kubernetes
- Sealed Secrets CI
- Sealed Secrets rotation
- KMS backed sealed secrets
- Sealed Secrets best practices
- Sealed Secrets architecture
- Sealed Secrets monitoring
Long-tail questions
- How do I use Sealed Secrets with GitOps
- How to rotate Sealed Secrets private key
- Can I store TLS certs with Sealed Secrets
- How to automate sealing in CI pipelines
- How to restore a Sealed Secrets private key
- What are common Sealed Secrets failure modes
- How to audit Sealed Secrets usage
- How to scale Sealed Secrets controller for many secrets
Related terminology
- Kubernetes Secret
- GitOps
- Public key encryption
- Private key management
- Key rotation
- KMS HSM integration
- ExternalSecrets
- Vault alternatives
- SOPS vs Sealed Secrets
- Helm secrets
- CI sealing
- Git repository secrets
- Secret drift
- Secret reconciliation
- Admission controller
- RBAC for secrets
- Secret lifecycle
- Secret backup and restore
- Secret audit logs
- Secret playbook
- Secret runbook
- Secret telemetry
- Seal-to-deploy latency
- Unseal success rate
- Controller availability
- Secret rotation automation
- Secret re-seal
- Secret performance limits
- Binary secret handling
- Namespace scoping
- Multi-cluster keys
- Key compromise response
- Secret retention policy
- Immutable Secrets
- Secret validation
- Secret telemetry
- Secret alerting
- Secret postmortem
- Secret ownership