Encrypting Shared Cluster Files
The pki shared by all control plane nodes are distributed via etcd/e2d using e2db, an ORM-like abstraction over etcd. These files should be protected using strong encryption, and e2db provides a feature for encrypting entire tables. The one requirement is that the etcd ca key is provided in the crit configuration:
apiVersion: crit.sh/v1alpha2
kind: ControlPlaneConfiguration
etcd:
endpoints:
- "https://${controlPlaneEndpoint.Host}:2379"
caFile: /etc/kubernetes/pki/etcd/ca.crt
caKey: /etc/kubernetes/pki/etcd/ca.key
certFile: /etc/kubernetes/pki/etcd/client.crt
keyFile: /etc/kubernetes/pki/etcd/client.key
where the important file here is ca.key
, since it is only one suitable to use as a data encryption key.