Encrypting Secret Data at Rest in Kubernetes AKS?

Question

I am unable to figure out how to change my kube-apiserver. The current version I am using from azure AKS is 1.13.7.

Below is what I need to change the kube-apiserver in kubernetes.

The kube-apiserver process accepts an argument --encryption-provider-config that controls how API data is encrypted in etcd.

Additionally, I am unable to find the kube-apiserver.

Yaml File Formatted

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
    - secrets
    providers:
    - identity: {}
    - aesgcm:
        keys:
        - name: key1
          secret: c2VjcmV0IGlzIHNlY3VyZQ==
        - name: key2
          secret: dGhpcyBpcyBwYXNzd29yZA==
    - aescbc:
        keys:
        - name: key1
          secret: c2VjcmV0IGlzIHNlY3VyZQ==
        - name: key2
          secret: dGhpcyBpcyBwYXNzd29yZA==
    - secretbox:
        keys:
        - name: key1
          secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=

I have tried to apply this yaml file but the error I get is below.

error: unable to recognize "examplesecret.yaml": no matches for kind "EncryptionConfiguration" in version "apiserver.config.k8s.io/v1"

Created aks cluster in azure. Used example encryption yaml file. Expected to be able to create rest secrets. The results I get are unable to create.

score 4 · Answer 1 · answered Jul 20 '19 at 04:07

4

The Kind: EncryptionConfiguration is understood only by the api-server via the flag --encryption-provider-config= (ref); in AKS, there’s no way to pass that flag to the api-server, as it’s a managed service. Feel free to request the feature in the public forum.

answered Jul 20 '19 at 04:07

Alessandro Vozza

560
2
10

Update: now also AKS supports KMS with BYOK: https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption – Alessandro Vozza May 25 '22 at 07:26

Encrypting Secret Data at Rest in Kubernetes AKS?

1 Answers1