Use KMS to encrypt Kubernetes Secrets - Container Service for Kubernetes

In ACK Serverless Pro clusters, you can use keys that are created in Key Management Service (KMS) to encrypt Kubernetes Secrets. This reduces the risk of information leakage. This topic describes how to use a key that is managed by KMS to encrypt Secrets for an existing ACK Serverless Pro cluster.

Prerequisites
Limits
Secret encryption
Enable Secret encryption for an existing ACK Serverless Pro cluster
Use automatic key rotation to encrypt Secrets
FAQ

Prerequisites

Item

Description

KMS key

A KMS key is created in the KMS console. The key belongs to the region where your ACK Serverless Pro cluster resides.

ACK Serverless Pro clusters support default keys, software-protected keys, and hardware-protected keys. For more information about the key management feature of KMS, see Getting started with Key Management. For more information about KMS billing, see Billing.

Important

After you enable Secret encryption, do not use the KMS API or the KMS console to disable or delete the key that is used to encrypt and decrypt Secrets, or create a schedule to delete the key. Otherwise, the API server becomes unavailable and cannot retrieve Secrets or service account objects. As a result, service interruptions occur.

Authorization

The following requirements must be met:

If you use an Alibaba Cloud account, the account must be authorized to assume the AliyunCSManagedSecurityRole role. Otherwise, the Container Service for Kubernetes (ACK) console prompts you to perform the authorization when you enable Secret encryption. You can follow the instructions in the console to complete the authorization or go to the Cloud Resource Access Authorization page and complete the authorization.
If you use a Resource Access Management (RAM) user or RAM role:
- The RAM user or RAM role must be granted administrator or O&M engineer permissions on the ACK Serverless Pro cluster. For more information, see Grant RBAC permissions to RAM users or RAM roles.
- The RAM user or RAM role must be attached with the AliyunKMSCryptoAdminAccess policy. For more information, see Grant permissions to a RAM user or RAM role.

Limits

Secret encryption can be enabled only for existing ACK Serverless Pro clusters. This feature cannot be enabled when you create ACK Serverless Pro clusters.

Overview of Secret encryption

Kubernetes Secrets are used to store and manage sensitive data, such as the passwords of applications, Transport Layer Security (TLS) certificates, and credentials to download Docker images. Kubernetes stores Secrets in etcd of a cluster. For more information, see Secrets.

ACK Serverless Pro cluster allow you to use a key created in KMS to encrypt Secrets. The KMS provider mechanism of Kubernetes is used during encryption. A KMS provider uses envelope encryption to encrypt and decrypt Secrets that are stored in etcd. Procedures for Secret encryption and decryption:

When you use a Kubernetes Secret to store a password, the API server generates a random data encryption key (DEK) to encrypt the Secret. Then, the API server sends the DEK to KMS. KMS uses the specified key to encrypt the DEK and returns the encrypted DEK to the API server. The API server then stores the encrypted Secret and DEK in etcd.
When you decrypt the Kubernetes Secret, the system calls the Decrypt operation of KMS to decrypt the DEK first. Then, the system uses the plaintext DEK to decrypt the Kubernetes Secret and returns the decrypted Secret.

For more information, see The KMS provider and Use envelope encryption.

Enable Secret encryption for an existing ACK Serverless Pro cluster

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the ACK Serverless Pro cluster for which you want to enable Secret encryption. On the details page of the cluster, click the Basic Information tab. In the Basic Information section, turn on Secret Encryption.
In the dialog box that appears, select the key that you created and click OK.
On the Clusters page, if the status of the cluster changes from Updating to Running, the Secret encryption feature is enabled for the cluster.
If the Secret encryption feature is no longer required, you can turn off Secret Encryption in the Basic Information section.

Use automatic key rotation to encrypt Secrets

You can use the automatic key rotation feature provided by KMS to encrypt Secrets. During a key rotation, the system uses the original key to encrypt existing Secrets and uses the new key to encrypt new Secrets. For more information about automatic key rotation, see Configure key rotation.

To force the system to use the new key to encrypt existing Secrets, run the following command after the key is rotated:

kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - encryption-key-rotation-time="$(date -u +'%Y-%m-%dT%H:%M:%S%z')"

FAQ

After Secret encryption is enabled, is ciphertext returned if I use kubectl to query a Secret?

No. After Secret encryption is enabled, plaintext is returned if you use kubectl to query a Secret. The Secret encryption feature encrypts the Secrets that are stored in etcd. After you enable Secret encryption, Secrets are stored in etcd as ciphertext. However, if you use a kubectl client to query a Secret by calling the Secret API provided by the API server of the cluster, plaintext is returned for the Secret.

How do I prohibit RAM users or RAM roles from enabling or disabling the Secret encryption feature for existing ACK Serverless Pro clusters?

To prohibit RAM users or RAM roles from enabling or disabling the Secret encryption feature for existing ACK Serverless Pro clusters, attach the following policy to the RAM users or RAM roles. For more information, see Create a custom RAM policy.

  {
      "Action": [
          "cs:UpdateKMSEncryption"
      ],
      "Effect": "Deny",
      "Resource": [
          "*"
      ]
  }

Container Service for Kubernetes:Use KMS to encrypt Kubernetes Secrets

Table of contents