In order to enable encryption of data stored in etcd clusteretcd cluster
Etcd is a reliable key-value [[Database]]. It is one of the most important parts of a [[Kubernetes]] cluster used to store the data of the K8S ApiserverK8S Apiserver
Kube Apiserver is the primary component of a [[Kubernetes]] cluster. It runs on a [[K8S Master Node]], and is the only component which is talking directly to the [[etcd cluster]]. It exposes a REST.... It uses [[Raft Protocol]] to establish ..., K8S ApiserverK8S Apiserver
Kube Apiserver is the primary component of a [[Kubernetes]] cluster. It runs on a [[K8S Master Node]], and is the only component which is talking directly to the [[etcd cluster]]. It exposes a REST... needs to be configured with the --encryption-provider-config flag:
First, create a file encryption-config.yaml:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: some-example-key
- identity: {}
Next, make sure that apiserver pod can access the file. For example, create /etc/kubernetes/encryption directory and mount it to the apiserver, and then set the flag like so: --encryption-provider-config=/etc/kubernetes/encryption/encryption-config.yaml.
Status: #💡
References:
- https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/