Encrypting Kubernetes Secrets
EncryptionProviderConfig
To encrypt secrets within the cluster you must create an EncryptionConfiguration
manifest and pass it to the API server.
touch /etc/kubernetes/encryption-config.yaml
chmod 600 /etc/kubernetes/encryption-config.yaml
cat <<-EOT > /etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: $(cat /etc/kubernetes/pki/etcd/ca.key | md5sum | cut -f 1 -d ' ' | head -c -1 | base64)
- identity: {}
EOT
This EncryptionConfiguration
uses the aescbc
provider for encrypting secrets. Details on other providers, including third-party key management systems, can be found in the Kubernetes official documentation.
apiVersion: crit.sh/v1alpha2
kind: ControlPlaneConfiguration
kubeAPIServer:
extraVolumes:
- name: encryption-config
hostPath: /etc/kubernetes/encryption-config.yaml
mountPath: /etc/kubernetes/encryption-config.yaml
readOnly: true
Once the API server is available, verify that new secrets are encrypted.