Enabling Kubernetes Encryption Providers
Encryption Providers support is a Kubernetes solution to implement data
encryption at rest. When enabled, the cluster administrator can ensure that
secrets and other sensitive Kubernetes resources are encrypted before they are
stored in the etcd backend.
Kubernetes supports several providers.
Additionally, it supports external Key Management Systems (KMS) through the
KMS provider.
Encryption Providers are supported by Kubernetes since
v1.13.
KubeOne Support
KubeOne provides managed support for Encryption Providers as of v1.3.
The following operations are supported:
- Enabling/disabling Encryption Providers
- Rotating Encryption keys
- Using custom Encryption Providers configuration
Enabling Encryption Providers
To enable Encryption Providers support, the following section is added to the
KubeOne Cluster configuration manifest:
apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
name: k1-cluster
versions:
kubernetes: '1.25.6'
features:
# enable encryption providers
encryptionProviders:
enable: true
For managed configuration, KubeOne will enable the Encryption Providers flag
for the Kubernetes API server and will pass a generated configuration file such
as the following one:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- providers:
- aescbc:
keys:
- name: kubeone-xkau31
secret: 6utsip/8CJ1GFQpM6iWq4oL2z2g8tJ5UkGbIgkSWAAc=
- identity: {}
resources:
- secrets
By default, KubeOne will use the AESCBC provider and will generate a randomized
key for it. Also, only secret
resources are encrypted.
Once KubeOne has pushed the configuration file and updated the kube-apiserver
flags as required, it will restart the kube-apiserver pods and ensure all
secret resources are rewritten with encryption enabled.
To enable Encryption Providers support for existing cluster, you must
run kubeone apply --force-upgrade
to apply the feature.
Disabling Encryption Providers
To disable this feature, simply set the enable
option to false
and upgrade
your cluster with the --force-upgrade
flag:
apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
name: k1-cluster
versions:
kubernetes: '1.25.6'
features:
# enable encryption providers
encryptionProviders:
enable: false
kubeone apply --manifest kubeone.yaml --tfjson output.json --force-upgrade
KubeOne will remove the configuration file from the control plane nodes and
update the kube-apiserver flags. Additionally, it will rewrite all secret
resources again to ensure that they are written back in plain text.
Rotating Encryption keys
KubeOne also supports rotating encryption keys to allow having a rotation
policy for secret keys. The new --rotate-encryption-key
flag is added to
the apply
command for this.
kubeone apply --manifest kubeone.yaml --tfjson output.json --force-upgrade --rotate-encryption-key
Similar to how enable/disable work, to rotate they key, you need to use the
--force-upgrade
flag as well.
During rotation, KubeOne will apply several steps that
involve restarting the kube-apiserver pods and rewriting the cluster secrets.
Custom Encryption Providers configuration
KubeOne allows advanced users to manage their own configuration as well,
for advanced use cases such as specifying multiple resources to encrypt,
using multiple key providers or using an external KMS.
However, unlink the managed configuration, for custom configuration files,
KubeOne only push the configuration file the control plane nodes and manage the
kube-apiserver flags. It will not handle the content of the configuration file.
This means that managed key rotation is not supported with custom
configuration.
When custom configuration is used, the user will be responsible for managing
the configuration to apply the steps required for
enable, disable
and rotate processes.
To use custom configuration, you simply add them inline to your KubeOne cluster
configuration manifest:
apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
name: k1-cluster
versions:
kubernetes: '1.25.6'
features:
encryptionProviders:
enable: true
customEncryptionConfiguration: |
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- providers:
- aescbc:
keys:
- name: custom-key
secret: lsn9B5vaIePTsbH2cxxzB0EfbBIZkYplC1fwfiNksJo=
- identity: {}
resources:
- secrets
Using an external KMS Provider
It is possible to use KubeOne to configure your Kubernetes cluster to use an external Key Management System. This provides an additional layer of security since it doesn’t require storing the a plain text key on control plane nodes.
Kubernetes requires using a KMS plugin to be able to communicate with the external KMS providers. Most cloud providers have KMS plugin implementations to allow Kubernetes to use their KMS services. For example:
Kubernetes communicates with the KMS Encryption Provider through a unix socket. For this to work, the cluster administrator needs to deploy KMS plugin on all control plane nodes. The plugin can be deployed as binary, a standalone docker container, a static pod or as a Daemonset configured to run only the control plan nodes. KubeOne will detect the unix socket path from the custom configuration and add a bind-mount to the KubeAPI static pod to allow it to communicate to the KMS plugins.
An example of custom encryption providers configuration to enable AWS Encryption Provider would look like this:
apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
name: kms-test
versions:
kubernetes: '1.25.6'
cloudProvider:
aws: {}
features:
encryptionProviders:
enable: true
customEncryptionConfiguration: |
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- identity: {}
- kms:
name: aws-encryption-provider
endpoint: unix:///var/run/kmsplugin/socket.sock
cachesize: 1000
timeout: 3s
A Note About Backups
It’s important to understand that the data will be encrypted during the etcd
backup operation as well. This means that when restoring a backup, the cluster
should be configured using the same encryption key that was used during the
backup. If that’s not the case, the Kubernetes API server will not be able to
access the encrypted data.