Skip to content

Instantly share code, notes, and snippets.

@janeczku

janeczku/rke-etcd-secret-data-encryption.md

Created April 2, 2019 14:32
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save janeczku/eb248e5cf862dcc3414d16d4e7302bb3 to your computer and use it in GitHub Desktop.
Save janeczku/eb248e5cf862dcc3414d16d4e7302bb3 to your computer and use it in GitHub Desktop.
Download ZIP
Rancher RKE etcd secrete data encryption
Raw
rke-etcd-secret-data-encryption.md

See also upstream documentation here: See https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#encrypting-your-data

  1. Generate base64 encoded encrpytion key:

    $ head -c 32 /dev/urandom | base64 -i -

  2. Create a Kubernetes encryption configuration file on each of the RKE nodes that will be consecutively provisioned with the controlplane role.

    touch /etc/kubernetes/encryption.yaml
chown root:root /etc/kubernetes/encryption.yaml
chmod 0600 /etc/kubernetes/encryption.yaml

  3. Populate the file with following YAML structure:

    apiVersion: v1
kind: EncryptionConfiguration
resources:
  - resources:
    - secrets
    providers:
    - identity: {}
    - aescbc:
      keys:
      - name: key1
        secret: <32-byte base64 encoded encrpytion key>

Note that aescbc is the recommended encryption provider.

  1. When creating the new cluster in Rancher, add the following directives to the kube-api section under services in the Cluster.yaml:

    services:
  kube-api:
    extra_args:
      encryption-provider-config: /etc/kubernetes/encryption.yaml

Where the path in encryption-provider-config corresponds to the path of the encryption config file on the control-plane nodes.

@tlvenn
Copy link

tlvenn commented May 13, 2019

The api version with latest K8s should be apiVersion: apiserver.config.k8s.io/v1 instead.
See: kubernetes/kubernetes#61599

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment