manage-kubernetes-secrets
About
This skill implements secure secrets management for Kubernetes applications using SealedSecrets for GitOps workflows and External Secrets Operator for cloud integrations. It handles sensitive data like TLS certificates and API keys with encryption at rest, RBAC controls, and rotation strategies. Use it when version-controlling secrets in Git, integrating with AWS Secrets Manager/Azure Key Vault, or migrating from plaintext Kubernetes Secrets.
Quick Install
Claude Code
Recommendednpx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/manage-kubernetes-secretsCopy and paste this command in Claude Code to install this skill
Documentation
管 Kubernetes 密
以 SealedSecrets 於 GitOps、External Secrets Operator 於雲密管、並旋換之略施產線級 Kubernetes 密管,加密於靜、RBAC 之控。
用時
- 為 Kubernetes 應存敏感配置(API 鍵、密碼、詞元)
- 施 GitOps 工作流,密須入版本控制
- 合 Kubernetes 於 AWS Secrets Manager、Azure Key Vault、GCP Secret Manager
- 旋憑證與證書,應無停機
- 施最小特權之密訪,跨名空間與團隊
- 自明文 Secret 遷至加密或外管之解
入
- 必要:具管訪之 Kubernetes 叢集
- 必要:欲管之密(資料庫憑、API 鍵、TLS 證書)
- 可選:雲密管(AWS Secrets Manager、Azure Key Vault、GCP Secret Manager)
- 可選:為 TLS 證書生成之證書機構
- 可選:SealedSecrets 用之 GitOps 倉
- 可選:靜加密用之 key management service (KMS)
法
完整配置檔案與樣板,見 Extended Examples。
第一步:啟 Kubernetes Secret 之靜加密
以 KMS 或本地加密為 Secret 設靜加密。
# For AWS EKS, enable secrets encryption with KMS
cat > encryption-config.yaml <<EOF
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: $(head -c 32 /dev/urandom | base64)
- identity: {}
EOF
# For self-hosted clusters, configure API server
# Add to kube-apiserver flags:
# --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
# Verify encryption status
kubectl get secrets -A -o json | jq '.items[] | select(.metadata.name != "default-token") | .metadata.name'
# Encrypt existing secrets by reading and rewriting
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
# Verify a secret is encrypted at rest
# Check etcd directly (requires etcd access)
ETCDCTL_API=3 etcdctl get /registry/secrets/default/my-secret --print-value-only | hexdump -C
雲管之 Kubernetes:
# AWS EKS - Create KMS key
aws kms create-key --description "EKS secrets encryption"
KMS_KEY_ARN=$(aws kms describe-key --key-id alias/eks-secrets --query 'KeyMetadata.Arn' --output text)
# Enable encryption on EKS cluster
aws eks associate-encryption-config \
--cluster-name my-cluster \
--encryption-config "resources=secrets,provider={keyArn=$KMS_KEY_ARN}"
# GKE - Enable application-layer secrets encryption
gcloud container clusters update my-cluster \
--database-encryption-key projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME
# AKS - Encryption enabled by default with platform-managed keys
# Optionally use customer-managed keys
az aks update \
--name my-cluster \
--resource-group my-rg \
--enable-azure-keyvault-secrets-provider
**得:**Secret 於 etcd 靜加密。Hexdump 顯加密之資,非明文。雲管叢集之 KMS 合已設。既 Secret 之重加密無誤而成。
**敗則:**API 伺啟動敗,驗 encryption-config.yaml 之語法與鍵格(須 base64 編 32 位之鍵)。KMS 誤者,察 IAM 權限容 kms:Decrypt 與 kms:Encrypt。etcd 訪疑者,以備/復之規復加密誤配者。
第二步:裝並設 Sealed Secrets 以 GitOps
佈 Bitnami Sealed Secrets 控制器以加密密為 Git 存。
# Install Sealed Secrets controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Verify controller is running
kubectl get pods -n kube-system -l name=sealed-secrets-controller
# Install kubeseal CLI
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
tar xfz kubeseal-0.24.0-linux-amd64.tar.gz
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
# Fetch public key for offline sealing
kubeseal --fetch-cert \
--controller-namespace=kube-system \
--controller-name=sealed-secrets-controller \
> pub-cert.pem
# Create a regular Secret (NOT applied to cluster yet)
kubectl create secret generic mysecret \
--from-literal=username=admin \
--from-literal=password='sup3rs3cr3t!' \
--dry-run=client \
-o yaml > mysecret.yaml
# Seal the secret
kubeseal --format=yaml --cert=pub-cert.pem < mysecret.yaml > mysealedsecret.yaml
# Inspect sealed secret (safe to commit to Git)
cat mysealedsecret.yaml
封之密似此:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
namespace: default
spec:
encryptedData:
username: AgA8V7f3q2... (encrypted data)
password: AgBkXp9n1h... (encrypted data)
template:
metadata:
name: mysecret
namespace: default
施並驗:
# Apply sealed secret to cluster
kubectl apply -f mysealedsecret.yaml
# Verify regular Secret was created automatically
kubectl get secret mysecret -o yaml
# Decode secret to verify values
kubectl get secret mysecret -o jsonpath='{.data.username}' | base64 -d
# Commit sealed secret to Git (safe, encrypted)
git add mysealedsecret.yaml
git commit -m "Add database credentials as sealed secret"
**得:**Sealed Secrets 控制器運於 kube-system 名空間。公證已取。Kubeseal 以公鍵加密 Secret。Sealed Secret 施於叢集時自動建解密 Secret。唯控制器可解密(有私鍵)。
**敗則:**加密誤者,驗控制器運行而 pub-cert.pem 有效。解密敗者,以 kubectl logs -n kube-system -l name=sealed-secrets-controller 察控制器日誌。名空間不合誤者,封密預設為名空間作用域;跨名空間者用 --scope cluster-wide。私鍵失則封密不可解;以 kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-backup.yaml 備控制器鍵。
第三步:佈 External Secrets Operator 以雲密管
合 Kubernetes 於 AWS Secrets Manager、Azure Key Vault、或 GCP Secret Manager。
# Install External Secrets Operator via Helm
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets-system \
--create-namespace
# Verify operator is running
kubectl get pods -n external-secrets-system
# Create IAM role for AWS Secrets Manager (EKS with IRSA)
cat > trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDC_ID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.REGION.amazonaws.com/id/OIDC_ID:sub": "system:serviceaccount:default:external-secrets-sa"
}
}
}
]
}
EOF
aws iam create-role \
--role-name external-secrets-role \
--assume-role-policy-document file://trust-policy.json
aws iam attach-role-policy \
--role-name external-secrets-role \
--policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
# Create SecretStore referencing AWS Secrets Manager
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secretsmanager
namespace: default
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
jwt:
serviceAccountRef:
name: external-secrets-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-sa
namespace: default
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/external-secrets-role
EOF
# Create secret in AWS Secrets Manager
aws secretsmanager create-secret \
--name myapp/database \
--secret-string '{
"username":"dbadmin",
"password":"dbpass123",
"endpoint":"db.example.com:5432",
"database":"myapp"
}'
# Create ExternalSecret to sync from AWS
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: myapp-database
namespace: default
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secretsmanager
kind: SecretStore
target:
name: myapp-db-secret
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: myapp/database
property: username
- secretKey: password
remoteRef:
key: myapp/database
property: password
- secretKey: endpoint
remoteRef:
key: myapp/database
property: endpoint
EOF
# Verify ExternalSecret synced
kubectl get externalsecret myapp-database
kubectl get secret myapp-db-secret -o yaml
# Check synchronization status
kubectl describe externalsecret myapp-database
Azure Key Vault 者:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: azure-keyvault
namespace: default
spec:
provider:
azurekv:
authType: ManagedIdentity
vaultUrl: "https://my-keyvault.vault.azure.net"
tenantId: "tenant-id"
**得:**External Secrets Operator 運。SecretStore 以雲供應商憑設。ExternalSecret 資源自雲密管拉而自動建 Kubernetes Secret。Secret 每時刷。雲密管之變播至叢集。
**敗則:**認證誤者,驗 IAM 角色/服務帳戶註與信任政策容 assume role。同步敗者,以 kubectl describe externalsecret 察 ExternalSecret 之態。雲中缺密者,驗密名與 JSON 屬性路徑合。以 aws secretsmanager get-secret-value --secret-id myapp/database 試 AWS 憑。
第四步:以 cert-manager 施證書管
以 cert-manager 自化 TLS 證書之配與續。
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
# Verify installation
kubectl get pods -n cert-manager
# ... (see EXAMPLES.md for complete configuration)
入口註式之證書發:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# ... (see EXAMPLES.md for complete configuration)
**得:**cert-manager 自 Let's Encrypt 得證書。TLS 密建,具有效證書與私鍵。證書於過期前自續。入口用證書為 HTTPS 終止。
**敗則:**ACME 挑戰敗者,http01 驗 DNS 指入口 LoadBalancer IP,dns01 驗 Route53 IAM 權限。速限誤者,試用 letsencrypt-staging 發行者。續敗者,以 kubectl logs -n cert-manager deployment/cert-manager 察 cert-manager 日誌。以 curl -v https://myapp.example.com 試證書。
第五步:施密旋策
以版管與應重啟自化密旋。
# Enable automatic Pod restarts on Secret changes with Reloader
kubectl apply -f https://raw.githubusercontent.com/stakater/Reloader/master/deployments/kubernetes/reloader.yaml
# Annotate Deployment to watch Secrets
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
# ... (see EXAMPLES.md for complete configuration)
驗旋工作流:
# Manually trigger rotation
kubectl create job --from=cronjob/secret-rotation manual-rotation-$(date +%s)
# Watch for Secret update
kubectl get secret myapp-db-secret -w
# Verify Reloader triggered Pod restart
kubectl get events --sort-by='.lastTimestamp' | grep Reloader
# Check new Pods are using updated secret
kubectl get pods -l app=myapp
kubectl exec -it <pod-name> -- env | grep DB_PASSWORD
**得:**Reloader 察 Secret/ConfigMap 並於變時重啟 Pod。密旋更 AWS Secrets Manager,External Secrets Operator 同至 Kubernetes,Reloader 觸滾動重啟。應無手介而取新憑。
**敗則:**Reloader 未觸者,驗註之語與 Reloader 運以 kubectl get pods -n default -l app=reloader-reloader。External Secrets 同延者,減 refreshInterval 或以 kubectl annotate externalsecret myapp-database force-sync="$(date +%s)" --overwrite 手觸。旋中應連敗者,於應碼施優雅密重載或以連池附重試邏輯。
第六步:以 RBAC 施密訪控
以 Kubernetes RBAC 以最小特權之則限密訪。
# Create namespace for sensitive workloads
apiVersion: v1
kind: Namespace
metadata:
name: production
---
# ... (see EXAMPLES.md for complete configuration)
試 RBAC:
# Apply RBAC resources
kubectl apply -f rbac.yaml
# Test as application service account
kubectl auth can-i get secret myapp-db-secret --as=system:serviceaccount:production:myapp -n production
# Should return "yes"
# ... (see EXAMPLES.md for complete configuration)
**得:**服務帳戶經 resourceNames 僅讀特定密。開發者不可察產線名空間之密。唯 secret-admins 群可建/更/刪密。RBAC 拒記於審計日誌。
**敗則:**訪拒誤者,驗 RoleBinding 之主體配 ServiceAccount 名與名空間。權限過廣者,除萬用動詞並加 resourceNames 限。審計日誌隙者,於 API 伺器層啟 Kubernetes 審計日誌。佈變前以 kubectl auth can-i 試。
驗
- Secret 於 etcd 靜加密(以 etcdctl 或 KMS 驗)
- Sealed Secrets 控制器運而公證已取
- External Secrets Operator 自雲密管同步
- TLS 證書由 cert-manager 發且自續
- 密旋經 Reloader 自動化,附應重啟
- RBAC 政策施最小特權之密訪
- 無明文密於 Git 倉或容器鏡像
- sealed-secrets 私鍵之備/復規已試
- 密同步敗與過期之監告已設
陷
-
Git 史中之密:提交明文密後除之不清 Git 史。用 git-filter-repo 或 BFG 重寫史,旋洩露之密
-
RBAC 過廣:於名空間諸密准
get secrets。用 resourceNames 僅限特定密之訪 -
無旋策:密永不旋,增洩之爆半徑。以 External Secrets Operator 或 CronJob 施自動旋
-
缺靜加密:密以明文存於 etcd。存敏資前啟加密供應商或 KMS 合
-
應快取密:應啟時讀密一次而永不重載。施信號處(SIGHUP)或檔察於密檔之變
-
External Secrets 刷過慢:預設 1 小時刷意密變傳播需時至一小時。為關鍵密降 refreshInterval,用 webhook 為即更
-
sealed-secrets 鍵無備:控制器私鍵失則諸封密不可復。以
kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml備並安存 -
證書續敗:cert-manager 因 DNS/防火牆之變不能續。以 Prometheus 指標與告監證書過期
參
deploy-to-kubernetes— 於 Deployment 與 StatefulSet 中用密enforce-policy-as-code— 密訪驗之 OPA 政策security-audit-codebase— 察應碼中之硬碼密configure-ingress-networking— 入口資源中 TLS 證書之用implement-gitops-workflow— ArgoCD/Flux 管線中之 Sealed Secrets
GitHub Repository
Related Skills
qmd
Developmentqmd is a local search and indexing CLI tool that enables developers to index and search through local files using hybrid search combining BM25, vector embeddings, and reranking. It supports both command-line usage and MCP (Model Context Protocol) mode for integration with Claude. The tool uses Ollama for embeddings and stores indexes locally, making it ideal for searching documentation or codebases directly from the terminal.
subagent-driven-development
DevelopmentThis skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.
mcporter
DevelopmentThe mcporter skill enables developers to manage and call Model Context Protocol (MCP) servers directly from Claude. It provides commands to list available servers, call their tools with arguments, and handle authentication and daemon lifecycle. Use this skill for integrating and testing MCP server functionality in your development workflow.
adk-deployment-specialist
DevelopmentThis skill deploys and orchestrates Vertex AI ADK agents using A2A protocol, managing AgentCard discovery, task submission, and supporting tools like Code Execution Sandbox and Memory Bank. It enables building multi-agent systems with sequential, parallel, or loop orchestration patterns in Python, Java, or Go. Use it when asked to deploy ADK agents or orchestrate agent workflows on Google Cloud.