On-Prem k8s | Part 4

Generating the Data Encryption Config

Secret data encryption

Kubernetes supports data encryption at rest to securely store data in the etcd k/v database.

In this section, we will create a Kubernetes encryption config manifest to specify the resource we want to be encrypted, the encryption mechanism and key.

Later, the kube-api server will be started with the --experimental-encryption-provider-config flag in order to enable data encryption at rest

Encryption key

First, we generate a random key, base64 encoded:

ENCRYPTION_KEY=`head -c 32 /dev/urandom | base64`

Kubernetes manifest file

Generate the Kubernetes yaml file that will later be used for enabling secret data encryption. Head here if you want more information about encryption at rest.

cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
  - resources:
      - secrets
      - aescbc:
            - name: key
              secret: ${ENCRYPTION_KEY}
      - identity: {}

Distribute the file

Copy the generated file to the three controller nodes

for instance in k8sctl1 k8sctl2 k8sctl3; do
    scp encryption-config.yaml $instance:~/

Next: Bootstrapping etcd Cluster >

< Previous: Generating Kubeconfig files

  • Category
comments powered by Disqus