0

GKE natively works with customer supplied key (using KMS), including actions like key rotation, key disabling/enabling for etcd / content in control plane.

While customer supplied key (using KMS) also works for encryption of dynamic PV mounts (using storage class), it doesn't support actions like key rotation, key disabling/enabling. For example, disabling the key has no effect on already mounted PV.

Why this difference? Are these two implementation drastically different?

C. Derx
  • 326
  • 2
  • 13

1 Answers1

0

According to the documentation on the Customer Supplied Encryption key.

If an object is encrypted using a customer-supplied encryption key, you can rotate the object's key by rewriting the object. Rewrites are supported through the JSON API, but not the XML API. See Rotating an encryption key for examples of key rotation.

You can also refer to the stackoverflow link.

Fariya Rahmat
  • 2,123
  • 3
  • 11