By default all the data stored in etcd is not encrypted, for the production deployments, some of the data stored in etcd need to be encrypted such as secrets, Is there a way to store the secrets, in an encrypted way, in etcd, by default.
To have encryption you need to instruct apiserver
service with this parameter:
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml
where the yaml file contains this:
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
here the provider is aescbc (the strongest encryption) and the variable is generated before:
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
Take a look to these documents: