← 返回命令列表

Linux command

kubeseal 命令

文本

涉及管道、覆盖或删除,执行前请先确认路径和参数。

常用示例

Seal secret

kubeseal < [secret.yaml] > [sealed-secret.yaml]

Seal with controller name

kubeseal --controller-name=[sealed-secrets] < [secret.yaml]

Seal specific namespace

kubeseal --namespace=[namespace] < [secret.yaml]

Fetch certificate

kubeseal --fetch-cert > [cert.pem]

Seal from literal

kubectl create secret generic [name] --dry-run=client -o yaml | kubeseal

说明

kubeseal is a client-side tool for encrypting Kubernetes Secret resources into SealedSecret objects that are safe to store in version control. It uses asymmetric encryption with a public key fetched from the Sealed Secrets controller running in the cluster, ensuring that only that specific controller can decrypt the data back into a usable Secret. The tool reads a standard Kubernetes Secret from stdin or a file, encrypts it, and outputs a SealedSecret custom resource in YAML or JSON format. This enables GitOps workflows where all cluster configuration, including secrets, can be committed to a Git repository without exposing sensitive values. Each SealedSecret is scoped to a specific namespace and cluster by default, preventing re-use of encrypted data across environments.

参数

--controller-name _NAME_
Sealed Secrets controller name.
--controller-namespace _NS_
Controller namespace.
--namespace _NS_
Target namespace.
--fetch-cert
Fetch public certificate.
--format _FMT_
Output format (yaml, json).
--help
Display help information.

FAQ

What is the kubeseal command used for?

kubeseal is a client-side tool for encrypting Kubernetes Secret resources into SealedSecret objects that are safe to store in version control. It uses asymmetric encryption with a public key fetched from the Sealed Secrets controller running in the cluster, ensuring that only that specific controller can decrypt the data back into a usable Secret. The tool reads a standard Kubernetes Secret from stdin or a file, encrypts it, and outputs a SealedSecret custom resource in YAML or JSON format. This enables GitOps workflows where all cluster configuration, including secrets, can be committed to a Git repository without exposing sensitive values. Each SealedSecret is scoped to a specific namespace and cluster by default, preventing re-use of encrypted data across environments.

How do I run a basic kubeseal example?

Run `kubeseal < [secret.yaml] > [sealed-secret.yaml]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does --controller-name _NAME_ do in kubeseal?

Sealed Secrets controller name.