On-Prem k8s | Part 4

Generating the Data Encryption Config

mch1307 On-Prem k8s | Part 4

Secret data encryption

Kubernetes supports data encryption at rest to securely store data in the etcd k/v database.

In this section, we will create a Kubernetes encryption config manifest to specify the resource we want to be encrypted, the encryption mechanism and key.

Later, the kube-api server will be started with the --experimental-encryption-provider-config flag in order to enable data encryption at rest

Encryption key

First, we generate a random key, base64 encoded:

ENCRYPTION_KEY=`head -c 32 /dev/urandom | base64`

Kubernetes manifest file

Generate the Kubernetes yaml file that will later be used for enabling secret data encryption. Head here if you want more information about encryption at rest.

cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key
              secret: ${ENCRYPTION_KEY}
      - identity: {}
EOF

Distribute the file

Copy the generated file to the three controller nodes

for instance in k8sctl1 k8sctl2 k8sctl3; do
    scp encryption-config.yaml $instance:~/
done

k8s-thw

Home

Blog

k8s - thw

gomotics

Recent Posts

vaultlib: a Go Vault client library for reading secrets

On-Premises Kubernetes… The Hard Way

From WP.com to Hugo on Netlify

Building a Go Api: gRPC, Rest and OpenApi (swagger)

gomotics 0.3.0 released

On-Prem k8s | Part 4

Secret data encryption

Encryption key

Kubernetes manifest file

Distribute the file

Next: Bootstrapping etcd Cluster >

< Previous: Generating Kubeconfig files

Michael Champagne