- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Quick Start
- User Guide
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Kubernetes API Operation Guide
- Open Source Components
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- TKE-Optimized Series Images
- Creating a Cluster
- Deleting a Cluster
- Cluster Scaling
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Enabling GPU Scheduling for a Cluster
- CVM Container Cluster Network
- Custom Kubernetes Component Launch Parameters
- Node Management
- Node Pool Management
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- Job Management
- CronJob Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- Virtual Node Management
- Service Management
- Ingress Management
- Storage Management
- Add-On Management
- Helm Application
- Network Management
- Application Market
- OPS Center
- Remote Terminals
- Elastic Cluster Guide
- Edge Cluster Guide
- Best Practices
- Cluster
- Cluster Migration
- EKS Cluster
- Security
- Service Deployment
- Network
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Using NodeLocal DNS Cache in a TKE Cluster
- Nginx Ingress High-Concurrency Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Implementing Custom Domain Name Resolution in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Using cert-manager to Issue Free Certificates
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Customizing RBAC Authorization in TKE
- DevOps
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Storage
- Containerization
- Cost Management
- Permission Management
- Overview
- Description of Role Permissions Related to Service Authorization
- TKE Image Registry Resource-level Permission Settings
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Fault Handling
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- DescribeClusterKubeconfig
- DescribeClusters
- CreateCluster
- DescribeClusterSecurity
- DeleteCluster
- ModifyClusterEndpointSP
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpointStatus
- DeleteClusterEndpointVip
- DeleteClusterEndpoint
- CreateClusterEndpointVip
- CreateClusterEndpoint
- ModifyClusterAttribute
- AcquireClusterAdminRole
- UpgradeClusterInstances
- UpdateClusterVersion
- GetUpgradeInstanceProgress
- DescribeAvailableClusterVersion
- DescribeClusterCommonNames
- Node APIs
- Network APIs
- Scaling group APIs
- Cloud Native Monitoring APIs
- Node Pool APIs
- DescribeClusterAsGroupOption
- RemoveNodeFromNodePool
- ModifyClusterNodePool
- DescribeClusterNodePools
- DescribeClusterNodePoolDetail
- DeleteClusterNodePool
- CreateClusterNodePoolFromExistingAsg
- CreateClusterNodePool
- AddNodeToNodePool
- ModifyClusterAsGroupOptionAttribute
- SetNodePoolNodeProtection
- ModifyNodePoolInstanceTypes
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- User Guide(Old)
- Service Level Agreement
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Quick Start
- User Guide
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Kubernetes API Operation Guide
- Open Source Components
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- TKE-Optimized Series Images
- Creating a Cluster
- Deleting a Cluster
- Cluster Scaling
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Enabling GPU Scheduling for a Cluster
- CVM Container Cluster Network
- Custom Kubernetes Component Launch Parameters
- Node Management
- Node Pool Management
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- Job Management
- CronJob Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- Virtual Node Management
- Service Management
- Ingress Management
- Storage Management
- Add-On Management
- Helm Application
- Network Management
- Application Market
- OPS Center
- Remote Terminals
- Elastic Cluster Guide
- Edge Cluster Guide
- Best Practices
- Cluster
- Cluster Migration
- EKS Cluster
- Security
- Service Deployment
- Network
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Using NodeLocal DNS Cache in a TKE Cluster
- Nginx Ingress High-Concurrency Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Implementing Custom Domain Name Resolution in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Using cert-manager to Issue Free Certificates
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Customizing RBAC Authorization in TKE
- DevOps
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Storage
- Containerization
- Cost Management
- Permission Management
- Overview
- Description of Role Permissions Related to Service Authorization
- TKE Image Registry Resource-level Permission Settings
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Fault Handling
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- DescribeClusterKubeconfig
- DescribeClusters
- CreateCluster
- DescribeClusterSecurity
- DeleteCluster
- ModifyClusterEndpointSP
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpointStatus
- DeleteClusterEndpointVip
- DeleteClusterEndpoint
- CreateClusterEndpointVip
- CreateClusterEndpoint
- ModifyClusterAttribute
- AcquireClusterAdminRole
- UpgradeClusterInstances
- UpdateClusterVersion
- GetUpgradeInstanceProgress
- DescribeAvailableClusterVersion
- DescribeClusterCommonNames
- Node APIs
- Network APIs
- Scaling group APIs
- Cloud Native Monitoring APIs
- Node Pool APIs
- DescribeClusterAsGroupOption
- RemoveNodeFromNodePool
- ModifyClusterNodePool
- DescribeClusterNodePools
- DescribeClusterNodePoolDetail
- DeleteClusterNodePool
- CreateClusterNodePoolFromExistingAsg
- CreateClusterNodePool
- AddNodeToNodePool
- ModifyClusterAsGroupOptionAttribute
- SetNodePoolNodeProtection
- ModifyNodePoolInstanceTypes
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- User Guide(Old)
- Service Level Agreement
- Glossary
Using KMS for Kubernetes Data Source Encryption
Last updated: 2020-11-13 16:04:48
Introduction
The TKE-KMS plugin integrates a wide range of key management features of the Key Management Service (KMS) to provide strong secret encryption or decryption for a Kubernetes cluster. This document describes how to use KMS to encrypt Kubernetes cluster data.
Basic Concepts
KMS
Tencent Cloud KMS is a security management solution that leverages a third-party certified hardware security module (HSM) to generate and protect keys so that you can easily create and manage keys to meet your key management and compliance needs in multi-application and multi-business scenarios.
Prerequisites
You have created independently deployed clusters in TKE that meet the following conditions:
- The Kubernetes version is 1.10.0 or later.
- The Etcd version is 3.0 or later.
To check the version, go to the "Cluster Management" page and select a cluster ID to go to the cluster’s basic information page.
Directions
Creating a KMS key and obtaining the ID
- Log in to the KMS console and go to the "Customer Managed CMK" page.
- At the top of the page, select a region in which to create a key and click Create.
- In the pop-up "Create Key" window, configure parameters, as shown below:
The following describes the main parameters. Retain the default settings for other parameters.- Key Name: this field is required and uniquely identifies a key in a region. A key name can only contain letters, digits, underscores (
_), and hyphens (-) and cannot start withKMS-.tke-kmsis used as an example in this document. - Description: this field is optional and used to specify the type of data to be protected, or the application to be used in conjunction with the CMK.
- Key Usage: select "Symmetric Encryption/Decryption".
- Key Material Source: you can select "KMS" or "External" based on actual requirements. In this document, "KMS" is used as an example.
- Key Name: this field is required and uniquely identifies a key in a region. A key name can only contain letters, digits, underscores (
- Click OK to return to the "Customer Managed CMK" page. The created key will appear.
- Click the key ID to enter the key information page and record the complete key ID, as shown below:
Creating and obtaining the access key
If an access key has been created, skip this step.
- Log in to the CAM Console. Click Access Key and then click API Keys on the left sidebar to go to the Manage API Key page.
- On the "API Key Management" page, click Create Key and wait until the key is created.
- Then, you can view the key information, including
SecretIdandSecretKey, as shown below:
Creating a DaemonSet workload and deploying the TKE-KMS plugin
- Log in to the TKE console and click Clusters in the left sidebar.
- On the "Cluster Management" page, click the ID of a cluster that meets the requirements to go to the cluster details page.
- Click Create using YAML in the upper right corner to go to the "Create using YAML" page. Enter
tke-kms-plugin.yaml, as shown below:Modify the following parameters based on actual requirements:
{{REGION}}: the region where the KMS key resides. Values includeap-beijing,ap-guangzhou, andap-shanghai.{{KEY_ID}}: enter the KMS key ID obtained in Creating a KMS key and obtaining the key ID.{{SECRET_ID}}and{{SECRET_KEY}}: enter the SecretID and SecretKey created in Creating and obtaining the access key.images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0: the tke-kms-plugin image address. If you want to use your own tke-kms-plugin image, change the image address to that of your own image.
apiVersion: apps/v1 kind: DaemonSet metadata: name: tke-kms-plugin namespace: kube-system spec: selector: matchLabels: name: tke-kms-plugin template: metadata: labels: name: tke-kms-plugin spec: nodeSelector: node-role.kubernetes.io/master: "true" hostNetwork: true restartPolicy: Always volumes: - name: tke-kms-plugin-dir hostPath: path: /var/run/tke-kms-plugin type: DirectoryOrCreate tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule containers: - name: tke-kms-plugin image: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0 command: - /tke-kms-plugin - --region={{REGION}} - --key-id={{KEY_ID}} - --unix-socket=/var/run/tke-kms-plugin/server.sock - --v=2 livenessProbe: exec: command: - /tke-kms-plugin - health-check - --unix-socket=/var/run/tke-kms-plugin/server.sock initialDelaySeconds: 5 failureThreshold: 3 timeoutSeconds: 5 periodSeconds: 30 env: - name: SECRET_ID value: {{SECRET_ID}} - name: SECRET_KEY value: {{SECRET_KEY}} volumeMounts: - name: tke-kms-plugin-dir mountPath: /var/run/tke-kms-plugin readOnly: false - Click Complete and wait until the DaemonSet workload is successfully created.
Configuring kube-apiserver
- Log in to each Master node of the cluster by referring to Log into Linux Instance Using Standard Login Method.
The security group of the Master node disables port 22 by default. Before logging in to the node, go to the security group page and enable port 22. For more information, see Adding Security Group Rules.
- Run the following command to create and open a YAML file:
vim /etc/kubernetes/encryption-provider-config.yaml - Press i to switch to the editing mode and edit the preceding YAML file. Based on the Kubernetes version used, enter the following content:
- K8s v1.13+:
apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - kms: name: tke-kms-plugin timeout: 3s cachesize: 1000 endpoint: unix:///var/run/tke-kms-plugin/server.sock - identity: {} - K8s v1.10 - v1.12:
apiVersion: v1 kind: EncryptionConfig resources: - resources: - secrets providers: - kms: name: tke-kms-plugin timeout: 3s cachesize: 1000 endpoint: unix:///var/run/tke-kms-plugin/server.sock - identity: {}
- K8s v1.13+:
- After editing, press Esc and enter :wq to save the file and go back.
- Run the following command to edit the YAML file:
vi /etc/kubernetes/manifests/kube-apiserver.yaml - Press i to switch to the editing mode. Based on the Kubernetes version used, add the following content to
args:For independently deployed clusters of Kubernetes v1.10.5, you need to first remove
kube-apiserver.yamlfrom the/etc/kubernetes/manifestsdirectory and add it after editing is complete.- K8s v1.13+:
--encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml- K8s v1.10 - v1.12:
--experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml- Add the Volume command for
/var/run/tke-kms-plugin/server.sock. The position and content of the added command are as follows:
Add the following content for/var/run/tke-kms-plugin/server.sockis a Unix socket monitored when the TKE KMS server is started. kube apiserver will access the TKE KMS server through the socket.volumeMounts::
- mountPath: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
Add the following content for volume::
- hostPath:
path: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
- After you finish editing, press Esc, enter :wq, save the
/etc/kubernetes/manifests/kube-apiserver.yamlfile, and wait for kube-apiserver to restart.
Verification
- Log in to a cluster node and run the following command to create a secret:
kubectl create secret generic kms-secret -n default --from-literal=mykey=mydata - Run the following command to check whether the secret was correctly decrypted:
kubectl get secret kms-secret -o=jsonpath='{.data.mykey}' | base64 -d - If
mydataappears, the secret was correctly decrypted, as shown below:
Reference
For more information about Kubernetes KMS, see Using a KMS provider for data encryption.
Yes
No
Was this page helpful?