This topic describes how to use keys created in Key Management Service (KMS) to encrypt Secrets in clusters of Alibaba Cloud Container Service for Kubernetes (ACK) Pro.

Prerequisites

  • A customer master key (CMK) is created in the KMS console. For more information, see Manage CMKs.
    Note ACK Pro clusters support only the Aliyun_AES_256 type CMKs and do not support automatic rotation of CMKs.
  • The current account must be granted the permissions to assume the AliyunCSManagedSecurityRole role. When you enable Kubernetes Secret encryption for a new or existing ACK Pro cluster with an unauthorized account, you are prompted to authorize the account first.
  • If the current account is a RAM user, it must be granted the AliyunKMSCryptoAdminAccess permission. For more information, see Grant permissions to a RAM user.

Background information

Kubernetes Secrets are used to store and mange sensitive data, such as passwords to applications, Transport Layer Security (TLS) certificates, and credentials to download Docker images. Kubernetes stores Secrets in the etcd of the cluster.

You can use CMKs to encrypt the data encryption keys (DEKs) of Kubernetes Secrets in ACK Pro clusters. The encryption is based on the KMS Encryption Provider mechanism provided by Kubernetes. This mechanism uses envelope encryption to encrypt and decrypt Kubernetes Secrets that are stored in etcd. For more information, see What is envelope encryption?. The following content describes how a Kubernetes Secret is encrypted and decrypted.
  • When you use a Kubernetes Secret to encrypt and store a password, the API server generates a random DEK to encrypt the Secret. Then, the API server returns the DEK to KMS. KMS uses the specified CMK to encrypt the DEK and returns the encrypted DEK to the API server. The API server then stores the encrypted Secret and DEK in etcd.
  • When you decrypt the Kubernetes Secret, the system calls the Decrypt API operation of KMS to decrypt the DEK. Then, the system uses the decrypted DEK to decrypt the Kubernetes Secret and returns the password.

Enable Kubernetes Secret encryption when you create an ACK Pro cluster

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. In the upper-right corner of the page, click Create Kubernetes Cluster. On the Select Cluster Template page, select Professional Managed Cluster (Preview) and click Create.
  4. On the ACK managed edition, find the Secret Encryption section and select the Select Key check box. Then, select the CMK from the drop-down list. For more information about how to set parameters to create an ACK Pro cluster, see Create a professional managed cluster.
    1
    Log on to the ActionTrail console. In the left-side navigation pane, click History Search. On the History Search page, check whether encryption or decryption events with the aliyuncsmanagedsecurityrole role exist. If these events exist, this indicates that the Secret encryption feature is enabled.2

Enable Kubernetes Secret encryption for an existing ACK Pro cluster

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. On the Clusters page, click the name of the target ACK Pro cluster.
  4. Click the Basic Information tab. In the Basic Information section, turn on the Secret Encryption switch.
    Note Make sure that the current account has the Role-Based Access Control (RBAC) administrator and O&M engineer permissions. For more information, see Configure RBAC permissions for RAM users.
    If the status of the cluster changes from Updating to Running, this indicates that the Secret encryption feature is enabled for the cluster.

Disable Kubernetes Secret encryption for an existing ACK Pro cluster

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. On the Clusters page, click the name of the target ACK Pro cluster.
  4. Click the Basic Information tab. In the Basic Information section, turn off the Secret Encryption switch.
    Note Make sure that the current account has the RBAC administrator and O&M engineer permissions. For more information, see Configure RBAC permissions for RAM users.
    If the status of the cluster changes from Updating to Running, this indicates that the Secret encryption feature is disabled for the cluster.