TIL: k8s sealed secrets only work with explicit namespace(s)

When using the bitnami sealed secrets controller1 in your kubernetes cluster you explicitly have to set the namespace of your secret before generating the SealedSecret .yaml.

When you omit the namespace metadata namespace: default will be added by the kubeseal cli and the controller will then not be able to decrypt the secret into your actual namespace. You will get the error message: no key could decrypt secret.

The namespace is part of the encryption to prevent that someone just decrypts the secret into another namespace with different access rights and then will be able to read the contents of the decrypted secret there2.