Configuring the Kubernetes cluster
Once SDS for Kubernetes KMS Plugin has been deployed and started, you must configure each control plane of your Kubernetes cluster to enable the encryption via the KMS provider.
WARNING
The Kubernetes configuration provided in this section is an example for version 1.32, please refer to the Kubernetes documentation to customize your configuration:
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/
Configuring encryption
-
Create the following /opt/kms/kube-encryption.yaml file to enable the use of SDS for Kubernetes KMS Plugin.
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
- configmaps
providers:
- kms:
apiVersion: v2 # SDS for Kubernetes KMS plugin supports only v2
name: SDSKMSPlugin
endpoint: unix:///opt/kms/kube-kms-plugin.sock # Same path as BIND_STRING on server
timeout: 3s (entre KMS plugin et API server)
- identity: {}
Updating the Kubernetes API server configuration
-
Update the /etc/kubernetes/manifests/kube-apiserver.yaml file to configure the Kubernetes API server to use the KMS provider.
Add the lines commented with "Add this line" in the example below:
...
spec:
containers:
- command:
- kube-apiserver
...
- --encryption-provider-config=/opt/kms/kube-encryption.yaml # Add this line with path to kube-encryption.yaml file
- --encryption-provider-config-automatic-reload=true # Add this line
...
volumeMounts:
- mountPath: /opt/kms # Add this line
name: opt-kms # Add this line
...
volumes:
- hostPath: # Add this line
path: /opt/kms # Add this line
type: DirectoryOrCreate # Add this line
name: opt-kms # Add this line