See also upstream documentation here: See https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#encrypting-your-data
-
Generate base64 encoded encrpytion key:
$ head -c 32 /dev/urandom | base64 -i -
-
Create a Kubernetes encryption configuration file on each of the RKE nodes that will be consecutively provisioned with the controlplane role.
touch /etc/kubernetes/encryption.yaml chown root:root /etc/kubernetes/encryption.yaml chmod 0600 /etc/kubernetes/encryption.yaml
-
Populate the file with following YAML structure:
apiVersion: v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - identity: {} - aescbc: keys: - name: key1 secret: <32-byte base64 encoded encrpytion key>
Note that aescbc
is the recommended encryption provider.
-
When creating the new cluster in Rancher, add the following directives to the
kube-api
section underservices
in the Cluster.yaml:services: kube-api: extra_args: encryption-provider-config: /etc/kubernetes/encryption.yaml
Where the path in encryption-provider-config
corresponds to the path of the encryption config file on the control-plane nodes.
The api version with latest K8s should be
apiVersion: apiserver.config.k8s.io/v1
instead.See: kubernetes/kubernetes#61599