This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. If you are running Kubernetes version 1.28 or higher, your Kubernetes secrets are protected with envelope encryption by default. For more information, see Default envelope encryption for all Kubernetes API Data.
If you enable secrets encryption, the Kubernetes secrets are encrypted using the AWS KMS key that you select. The KMS key must meet the following conditions:
Symmetric
Can encrypt and decrypt data
Created in the same AWS Region as the cluster
If the KMS key was created in a different account, the IAM principal must have access to the KMS key.
For more information, see Allowing IAM principals in other accounts to use a KMS key in the AWS Key Management Service Developer Guide .
WarningYou canât disable secrets encryption after enabling it. This action is irreversible.
You can enable encryption in two ways:
Add encryption to your cluster with a single command.
To automatically re-encrypt your secrets, run the following command.
eksctl utils enable-secrets-encryption \
--cluster my-cluster \
--key-arn arn:aws:kms:region-code:account:key/keyTo opt-out of automatically re-encrypting your secrets, run the following command.
eksctl utils enable-secrets-encryption
--cluster my-cluster \
--key-arn arn:aws:kms:region-code:account:key/key \
--encrypt-existing-secrets=falseAdd encryption to your cluster with a kms-cluster.yaml file.
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: my-cluster
region: region-code
secretsEncryption:
keyARN: arn:aws:kms:region-code:account:key/keyTo have your secrets re-encrypt automatically, run the following command.
eksctl utils enable-secrets-encryption -f kms-cluster.yamlTo opt out of automatically re-encrypting your secrets, run the following command.
eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-secrets=falseThis procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see Default envelope encryption for all Kubernetes API Data.
Open the Amazon EKS console.
Choose the cluster that you want to add KMS encryption to.
Choose the Overview tab (this is selected by default).
Scroll down to the Secrets encryption section and choose Enable.
Select a key from the dropdown list and choose the Enable button. If no keys are listed, you must create one first. For more information, see Creating keys
Choose the Confirm button to use the chosen key.
This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see Default envelope encryption for all Kubernetes API Data.
Associate the secrets encryption configuration with your cluster using the following AWS CLI command. Replace the example values with your own.
aws eks associate-encryption-config \
--cluster-name my-cluster \
--encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"arn:aws:kms:region-code:account:key/key"}}]'An example output is as follows.
{
  "update": {
    "id": "3141b835-8103-423a-8e68-12c2521ffa4d",
    "status": "InProgress",
    "type": "AssociateEncryptionConfig",
    "params": [
      {
        "type": "EncryptionConfig",
        "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:region-code:account:key/key\"}}]"
      }
    ],
    "createdAt": 1613754188.734,
    "errors": []
  }
}You can monitor the status of your encryption update with the following command. Use the specific cluster name and update ID that was returned in the previous output. When a Successful status is displayed, the update is complete.
aws eks describe-update \
--region region-code \
--name my-cluster \
--update-id 3141b835-8103-423a-8e68-12c2521ffa4dAn example output is as follows.
{
  "update": {
    "id": "3141b835-8103-423a-8e68-12c2521ffa4d",
    "status": "Successful",
    "type": "AssociateEncryptionConfig",
    "params": [
      {
        "type": "EncryptionConfig",
        "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:region-code:account:key/key\"}}]"
      }
    ],
    "createdAt": 1613754188.734>,
    "errors": []
  }
}To verify that encryption is enabled in your cluster, run the describe-cluster command. The response contains an EncryptionConfig string.
aws eks describe-cluster --region region-code --name my-clusterAfter you enabled encryption on your cluster, you must encrypt all existing secrets with the new key:
NoteIf you use eksctl, running the following command is necessary only if you opt out of re-encrypting your secrets automatically.
kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - kms-encryption-timestamp="time value"If you enable secrets encryption for an existing cluster and the KMS key that you use is ever deleted, then thereâs no way to recover the cluster. If you delete the KMS key, you permanently put the cluster in a degraded state. For more information, see Deleting AWS KMS keys.
NoteBy default, the create-key command creates a symmetric encryption KMS key with a key policy that gives the account root admin access on AWS KMS actions and resources. If you want to scope down the permissions, make sure that the kms:DescribeKey and kms:CreateGrant actions are permitted on the policy for the principal that calls the create-cluster API.
For clusters using KMS Envelope Encryption, kms:CreateGrant permissions are required. The condition kms:GrantIsForAWSResource is not supported for the CreateCluster action, and should not be used in KMS policies to control kms:CreateGrant permissions for users performing CreateCluster.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4