Seal from stdin with scope sealed-secrets
Create and seal a secret in cluster-wide scope
kubectl create secret generic mysecret --dry-run=client --from-literal=token=abc123 -o yaml | kubeseal --scope cluster-wide -o yaml
more sealed-secrets
all 11 commands →
Fetch public certificate
kubeseal --fetch-cert --controller-name=sealed-secrets --controller-namespace=kube-system > pub.pem
Seal offline with cert
kubeseal --cert pub.pem --format yaml < secret.yaml > sealed.yaml
Check sealed-secrets controller logs
kubectl logs -n kube-system -l app.kubernetes.io/name=sealed-secrets -f
List all SealedSecrets
kubectl get sealedsecrets -A
Re-seal with new key
kubectl get secret mysecret -o yaml | kubeseal --format yaml > sealed-new.yaml