# Install kubeseal Kubernetes controller and tool for one-way encrypted Secrets. Version 0.37.0 via Homebrew; verified 2026-05-21. ## Install ```sh sudo av install brew:kubeseal ``` ## Agent safety answer kubeseal transforms Kubernetes secrets and is tied to cluster secret-management workflows. - **Credential access:** Handles secret manifests and cluster public keys; input files may contain sensitive values. - **Remote mutation:** Does not usually mutate clusters directly, but output is intended for cluster application. - **Publish/artifact risk:** Can produce sealed secret artifacts committed or deployed to clusters. - **Recommended control:** Gate commands that read plaintext secret files or write deployable sealed secrets. - **Agent-use guidance:** Allow public-key fetches; require approval before processing plaintext secrets or writing manifests. Additional install commands: ### macOS - Homebrew (100%): ```sh brew install kubeseal ``` Evidence: local Homebrew formula metadata - MacPorts (94%): ```sh sudo port install kubeseal ``` Evidence: MacPorts ports tree: sysutils/kubeseal/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1 ### Linux - apk (92%): ```sh sudo apk add kubeseal ``` Evidence: Alpine Linux edge package indexes: kubeseal from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz - Nix (92%): ```sh nix profile install nixpkgs#kubeseal ``` Evidence: nixpkgs package indexes: pkgs/by-name/ku/kubeseal/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1 - pacman (92%): ```sh sudo pacman -S kubeseal ``` Evidence: Arch Linux sync databases: kubeseal from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz - zypper (92%): ```sh sudo zypper install kubeseal ``` Evidence: openSUSE Tumbleweed package metadata: kubeseal from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst ### Windows - Scoop (92%): ```sh scoop install main/kubeseal ``` Evidence: Scoop official bucket manifest trees: bucket/kubeseal.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1 ## Package Facts - **Package key:** brew:kubeseal - **Package manager:** Homebrew - **Package manager URL:** - **Version:** 0.37.0 - **Source summary:** Kubernetes controller and tool for one-way encrypted Secrets - **Homepage:** - **Repository:** - **Upstream docs:** - **License:** Apache-2.0 - **Source archive:** - **Last updated:** 2026-05-21T19:18:50Z - **Generated:** 2026-06-10T07:18:26+00:00 ## Executables - kubeseal (cli) - kubeseal (alias) ## Build Dependencies - go ## Install Behavior - Post-install hook: not defined - Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux ## Freshness - Page generated: 2026-06-10 - Package-manager version: 0.37.0 - Package-manager updated: 2026-05-21 - Local data status: ok - Upstream repository: https://github.com/bitnami-labs/sealed-secrets - info: No cached GitHub release or tag data was available. ## 安全说明 broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal. - **Geiger risk:** orange / medium - broad file, network, media, or database tool signal - infrastructure mutation or orchestration signal ## Source Database Details - **Source Database:** Homebrew formula API - **Tap:** homebrew/core - **Full Name:** kubeseal - **Version Scheme:** 0 - **Revision:** 0 - **Head Version:** HEAD - **Bottle Stable Root URL:** - **Deprecated:** no - **Disabled:** no - **Keg Only:** no - **URL Keys:** head, stable ## Other Package-Manager Records - Nix - kubeseal: normalized package name match | nixpkgs package indexes: pkgs/by-name/ku/kubeseal/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1 - apk - kubeseal - 0.37.0-r0: normalized package name match | Alpine Linux edge package indexes: kubeseal from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | A Kubernetes controller and tool for one-way encrypted Secrets | https://github.com/bitnami-labs/sealed-secrets - apk - kubeseal-doc - 0.37.0-r0: normalized package name match | Alpine Linux edge package indexes: kubeseal-doc from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | A Kubernetes controller and tool for one-way encrypted Secrets (documentation) | https://github.com/bitnami-labs/sealed-secrets - pacman - kubeseal - 0.35.0-2: normalized package name match | Arch Linux sync databases: kubeseal from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | A Kubernetes controller and tool for one-way encrypted Secrets | https://github.com/bitnami-labs/sealed-secrets - zypper - kubeseal - 0.37.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: kubeseal from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst | CLI for encrypting secrets to SealedSecrets | https://github.com/bitnami-labs/sealed-secrets - MacPorts - kubeseal: normalized package name match | MacPorts ports tree: sysutils/kubeseal/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1 - Scoop - main/kubeseal: normalized package name match | Scoop official bucket manifest trees: bucket/kubeseal.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1 ## Related Links - [Cloud CLI packages](https://www.automicvault.com/zh-hans/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family. - [Source-control packages](https://www.automicvault.com/zh-hans/pkg/source-control-tools/) - Belongs to a source-control command family. - [Secret-risk packages](https://www.automicvault.com/zh-hans/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals. - [Terminal utility packages](https://www.automicvault.com/zh-hans/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata. - [go](https://www.automicvault.com/zh-hans/pkg/brew/go/) - Build dependency declared by Homebrew. - [ksops](https://www.automicvault.com/zh-hans/pkg/brew/ksops/) - Shares av.db curated category or tags: cli, kubernetes, secrets, security. - [kubescape](https://www.automicvault.com/zh-hans/pkg/brew/kubescape/) - Shares av.db curated category or tags: cli, kubernetes, security. - [gator](https://www.automicvault.com/zh-hans/pkg/brew/gator/) - Shares av.db curated category or tags: cli, kubernetes, security. - [kube-bench](https://www.automicvault.com/zh-hans/pkg/brew/kube-bench/) - Shares av.db curated category or tags: cli, kubernetes, security. - [kubehound](https://www.automicvault.com/zh-hans/pkg/brew/kubehound/) - Shares av.db curated category or tags: cli, kubernetes, security. - [git-crypt](https://www.automicvault.com/zh-hans/pkg/brew/git-crypt/) - Shares av.db curated category or tags: cli, encryption, secrets, security. - [git-secret](https://www.automicvault.com/zh-hans/pkg/brew/git-secret/) - Shares av.db curated category or tags: cli, encryption, secrets, security. - [transcrypt](https://www.automicvault.com/zh-hans/pkg/brew/transcrypt/) - Shares av.db curated category or tags: cli, encryption, secrets, security. - [blackbox](https://www.automicvault.com/zh-hans/pkg/brew/blackbox/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, encryption, secrets, security. ## Sources - Nucleus package database - Geiger risk classifier - package-page enrichment - package version freshness - av.db category and tag curation - package relationship graph - external package-manager database matches - cross-ecosystem install command graph - curated agent safety answer