K
Q

Different behaviour in GKE between etcd and PV storage for same key action

9/29/2021

GKE natively works with customer supplied key (using KMS), including actions like key rotation, key disabling/enabling for etcd / content in control plane.

While customer supplied key (using KMS) also works for encryption of dynamic PV mounts (using storage class), it doesn't support actions like key rotation, key disabling/enabling. For example, disabling the key has no effect on already mounted PV.

Why this difference? Are these two implementation drastically different?

-- C. Derx
etcd
google-cloud-kms
google-kubernetes-engine
kubernetes
kubernetes-pvc

Similar Questions

Updating kubernetes deployment with same image name
Keep running into "exceeded its progress dead line" despite changing progressDeadlineSeconds
Does Jenkins (not Jenkins X) have gitops support?
kubelet does not have ClusterDNS IP configured in Microk8s
ImagePullBackOff after Kubectl run

1 Answer

9/30/2021

According to the documentation on the Customer Supplied Encryption key.

If an object is encrypted using a customer-supplied encryption key, you can rotate the object's key by rewriting the object. Rewrites are supported through the JSON API, but not the XML API. See Rotating an encryption key for examples of key rotation.

You can also refer to the stackoverflow link.

-- Fariya Rahmat
Source: StackOverflow