K
Q

Encrypting secret data in kubernetes etcd store

10/20/2018

By default all the data stored in etcd is not encrypted, for the production deployments, some of the data stored in etcd need to be encrypted such as secrets, Is there a way to store the secrets, in an encrypted way, in etcd, by default.

-- Ijaz Ahmad Khan
confidentiality
encryption
etcd
kubernetes
security

Similar Questions

How to do variable substitution in Kubernetes manifests?
Kubernetes resource versioning
Istio allowing all outbound traffic
What and where is the default kubeadm config file?

1 Answer

10/21/2018

To have encryption you need to instruct apiserver service with this parameter:

--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml

where the yaml file contains this:

kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}

here the provider is aescbc (the strongest encryption) and the variable is generated before:

ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)

Take a look to these documents:

-- Nicola Ben
Source: StackOverflow