Skip to content

K3s Secrets Management

Procedures for managing sensitive data and encryption within the K3s cluster.

1. Overview

Secret management is handled through Kubernetes native Secret objects. External integration with Bitnami Sealed Secrets is utilized for GitOps-friendly encryption.

2. Sealed Secrets Implementation

Sensitive data is encrypted (sealed) before being committed to version control.

Installation

  1. Deploy the Sealed Secrets controller via the Helm chart:

    helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets-controller sealed-secrets/sealed-secrets

  2. Install the kubeseal CLI tool on the local management workstation.

Workflow

  1. Creation: Define a standard Kubernetes secret locally.

  2. Encryption: Encrypt the secret using kubeseal and the public key from the cluster:

    kubeseal < secret.yaml > sealed-secret.yaml

  3. Deployment: Commit and push the SealedSecret object to the repository. The cluster-side controller performs the decryption.

3. External Secret Vaults (Optional)

For environments requiring advanced lifecycle management, integration with external vaults is supported.

  • HashiCorp Vault: Managed via External Secrets Operator (ESO).
  • OCI Vault: Direct integration for cloud-native secret retrieval.

4. Operational Best Practices

  1. Rotation: Secrets are rotated every 90 days.
  2. Access: RBAC is utilized to restrict secret access to authorized namespaces only.
  3. Audit: Secret access events are captured in the cluster audit logs.