By default all the data stored in etcd is not encrypted, for the production deployments, some of the data stored in etcd need to be encrypted such as secrets, Is there a way to store the secrets, in an encrypted way, in etcd, by default.
Asked
Active
Viewed 722 times
1 Answers
2
To have encryption you need to instruct apiserver service with this parameter:
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml
where the yaml file contains this:
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
here the provider is aescbc (the strongest encryption) and the variable is generated before:
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
Take a look to these documents:
Nicola Ben
- 10,615
- 8
- 41
- 65
-
where is etcd storing the encryption keys? Do I need a separate external etcd cluster ? – Ijaz Ahmad Oct 21 '18 at 13:55
-
etcd doesn't store the key. The key (only one - symmetric) is in the yaml file, you generated it. – Nicola Ben Oct 21 '18 at 13:59
-
once you push this yaml file , it will instruct the kubernetes to store secrets encrpted with that key , so where this key reside in kubernetes? how to secure this key – Ijaz Ahmad Oct 21 '18 at 14:34
-
In the master's memory I suppose, precisely in the apiserver process memory. – Nicola Ben Oct 21 '18 at 14:45
-
so if the apiserver nodes are restarted, the key will need to be re configured? – Ijaz Ahmad Oct 21 '18 at 14:54
-
I suggest to you to follow the tutorial at https://github.com/kelseyhightower/kubernetes-the-hard-way to clear all your doubts. – Nicola Ben Oct 21 '18 at 14:58
-
the tutorial says nothing about where that key is stored in kubernetes control plane – Ijaz Ahmad Oct 21 '18 at 15:17