Tencent Cloud TKE-KMS Plugin integrates the rich key management features of Key Management Service (KMS) to provide powerful encryption/decryption capabilities for Secret in Kubernetes cluster. This document describes how to encrypt data for Kubernetes cluster via KMS.
Key Management Service (KMS) is a security management solution that leverages a third-party certified hardware security module (HSM) to generate and protect keys so you can easily create and manage keys, helping you to meet your key management and compliance needs in multi-application and multi-business scenarios.
You have created a TKE self-deployed cluster that meets the following conditions:
-Kubernetes v1.10.0 or later.
Note:If you want to check the version, you can go to Cluster Management page and select the cluster ID to go to the Basic Information page to view.
_
, -
, and cannot begin with KMS-
. In this document, we take tke-kms
as an example.Note:If you have created an access key, please skip this step.
SecretId
and SecretKey
on Manage API Key page when the creation is completed. See the figure below:tke-kms-plugin.yaml
, as shown below:
Note:Enter values for the following parameters based on the actual needs:
{{REGION}}
: the region where KMS key resides. You can check Region List for the valid values.{{KEY_ID}}
: enter the KMS key ID obtained in the step of creating a KMS key and obtaining the ID.{{SECRET_ID}}
and{{SECRET_KEY}}
: enter the SecretID and SecretKey created in the step of creating and obtaining access key.images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0
: tke-kms-plugin image address. If you want to use the self-created tke-kms-plugin image, you can replace it.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: tke-kms-plugin
namespace: kube-system
spec:
selector:
matchLabels:
name: tke-kms-plugin
template:
metadata:
labels:
name: tke-kms-plugin
spec:
nodeSelector:
node-role.kubernetes.io/master: "true"
hostNetwork: true
restartPolicy: Always
volumes:
- name: tke-kms-plugin-dir
hostPath:
path: /var/run/tke-kms-plugin
type: DirectoryOrCreate
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: tke-kms-plugin
image: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0
command:
- /tke-kms-plugin
- --region={{REGION}}
- --key-id={{KEY_ID}}
- --unix-socket=/var/run/tke-kms-plugin/server.sock
- --v=2
livenessProbe:
exec:
command:
- /tke-kms-plugin
- health-check
- --unix-socket=/var/run/tke-kms-plugin/server.sock
initialDelaySeconds: 5
failureThreshold: 3
timeoutSeconds: 5
periodSeconds: 30
env:
- name: SECRET_ID
value: {{SECRET_ID}}
- name: SECRET_KEY
value: {{SECRET_KEY}}
volumeMounts:
- name: tke-kms-plugin-dir
mountPath: /var/run/tke-kms-plugin
readOnly: false
Note:Master node security group defaults to close port 22. You need to open port 22 on the security group interface before logging in to the node. For more information, see Adding a Security Group Rule.
vim /etc/kubernetes/encryption-provider-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
apiVersion: v1
kind: EncryptionConfig
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
vi /etc/kubernetes/manifests/kube-apiserver.yaml
args
according to the K8s version you actually use.
Note:Self-deployed cluster of K8s v1.10.5. You need to remove
kube-apiserver.yaml
from the/etc/kubernetes/manifests
directory and move it back to the directory after you have completed the editing.
--encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
--experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
/var/run/tke-kms-plugin/server.sock
. The location and content for adding is as follows:
Add the followings forNote:
/var/run/tke-kms-plugin/server.sock
is a unix socket that is listened when tke kms server is launched. kube apiserver will access tke kms server by accessing the socket.
volumeMounts:
: - mountPath: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
Add the followings for volume:
: - hostPath:
path: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
/etc/kubernetes/manifests/kube-apiserver.yaml
file. Wait for kube-apiserver to restart.kubectl create secret generic kms-secret -n default --from-literal=mykey=mydata
kubectl get secret kms-secret -o=jsonpath='{.data.mykey}' | base64 -d
mydata
, i.e. it is equal to the value of Secret, it means Secret has been decrypted correctly. See the figure below:For more information about Kubernetes KMS, see Using a KMS provider for data encryption.
Was this page helpful?