Encrypt Secrets at rest in an ACK Edge cluster using Alibaba Cloud KMS - Container Service for Kubernetes

In an ACK Edge Pro cluster, you can use keys from Alibaba Cloud Key Management Service (KMS) to encrypt Kubernetes Secrets, which enhances the protection of your sensitive data. This topic describes how to use keys managed in KMS to encrypt data in Kubernetes Secrets at rest in an ACK Edge Pro cluster.

Prerequisites

Item	Description
KMS key	You have created a KMS key in the Key Management Service console, and the key is in the same region as the target ACK Pro cluster. ACK Pro clusters support default keys, software keys, and hardware keys. You can select a key type. For more information about key management and related operations, see Key management quick start. For details about KMS billing, see billing. Important After you enable encryption at rest, do not use the KMS console or API to disable or delete the key that is used for secret encryption and decryption. Otherwise, the cluster API server becomes unavailable. As a result, you cannot retrieve objects such as secrets and ServiceAccounts, which disrupts your applications.
Cluster network ACL rules	When encryption at rest is enabled, the KMS plug-in on the control plane must access Alibaba Cloud KMS APIs to encrypt and decrypt secrets. To allow this, you must add rules that permit traffic to the`100.64.0.0/10` CIDR block, which is reserved for Alibaba Cloud services. Make sure that the outbound direction of your security group and the inbound and outbound rules of your VPC network ACL allow this traffic. Otherwise, the cluster control plane may become unavailable. For more information, see basic security group.
Authorization	Make sure that the required permissions are granted based on your account type. Alibaba Cloud account: You have granted the AliyunCSManagedSecurityRole system role to your Container Service for Kubernetes (ACK) account. If the role is not granted, the ACK console prompts you to grant the required permissions when you enable encryption at rest. You can follow the on-screen instructions or go to the quick authorization page of Resource Access Management (RAM) to complete the authorization. RAM user or RAM role: You have RBAC administrator or O&M permissions on the cluster. For more information, see Authorize resources in a cluster by using RBAC. You have been granted the AliyunKMSCryptoAdminAccess system permission. For more information, see Grant permissions to a RAM user or RAM role.

Secret encryption

In a Kubernetes cluster, sensitive information for applications, such as passwords, TLS certificates, and Docker image credentials, is typically stored and managed by using secret objects. Kubernetes stores all secret object data in the cluster's etcd database. For more information about secrets, see Secrets.

In an ACK Edge Pro cluster, you can use a key created in KMS to encrypt Kubernetes Secret keys. The KMS encryption process is based on the KMS Encryption Provider mechanism provided by Kubernetes and uses envelope encryption to automatically encrypt and decrypt Kubernetes Secret keys stored in etcd. The process of encrypting and decrypting Kubernetes Secret keys is as follows.

When you store a secret by using the Kubernetes Secret API, the API server encrypts the secret with a new data encryption key (DEK). The API server then uses the specified KMS key to encrypt the DEK. Finally, the encrypted secret and the encrypted DEK are stored together in etcd.
When you retrieve a Kubernetes secret, the API server calls the KMS Decrypt API to decrypt the DEK. The API server then uses the plaintext DEK to decrypt the secret data and returns the plaintext secret.

For more information, see KMS Encryption Provider mechanism and Use a KMS key for envelope encryption.

Enable Secret encryption at rest in an ACK Edge Pro cluster

New clusters

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click Create Kubernetes Cluster in the upper-right corner.
Click the ACK Edge tab. At the bottom of the page, expand Advanced Options (Optional), find Secret Encryption, select Select Key, and then select a KMS key ID from the drop-down list.

If you do not have a KMS key, click Create Key to go to the KMS console and create one. For more information, see Create a key.

For information about other parameters for creating an ACK Edge Pro cluster, see Create a cluster.

To verify that secret encryption is enabled, log on to the ActionTrail console. In the left-side navigation pane, click Cluster Events Query. On the Cluster Events Query page, check for encryption and decryption events that use the aliyuncsmanagedsecurityrole system role. The presence of these events confirms that the feature is active.

Existing clusters

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster. On the cluster details page, click the Basic Information tab. In the Security and Auditing section, turn on the Secret Encryption switch.

The first time you enable this feature, you are prompted to grant permissions. Click Go to RAM console. On the Cloud Resource Access Authorization page for Resource Access Management (RAM), click Confirm.
Note
- To enable encryption at rest, make sure the logged-in RAM user or RAM role has RBAC administrator or O&M permissions on the cluster. For more information, see Authorize resources in a cluster by using RBAC.
- To grant permissions to the AliyunCSManagedSecurityRole role, make sure you are logged in with an Alibaba Cloud account or a RAM user or RAM role that has RAM management permissions.
In the Secret Encryption dialog box, select an existing KMS key and click OK.

If you do not have a KMS key, click Create Key to go to the Key Management Service console and create a key. For more information, see Create a key.

When the cluster status changes from Updating to Running, secret encryption at rest is enabled for the cluster.

If you no longer need this feature, you can turn off the Security and Auditing switch in the Secret Encryption section.

Automatic key rotation

You can use the automatic key rotation feature of KMS to encrypt secrets at rest. When a key is automatically rotated, existing secrets remain encrypted with the previous key version. New secrets are encrypted with the new key version. For more information about automatic key rotation, see Key rotation.

To ensure that existing secrets are also encrypted with the new key version, run the following command to re-encrypt all existing secrets after the key is automatically rotated.

kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - encryption-key-rotation-time="$(date -u +'%Y-%m-%dT%H:%M:%S%z')"

FAQ

Are kubectl-retrieved secrets encrypted?

No. Encryption at rest encrypts the raw secret data in etcd, which is then stored as ciphertext. However, when you use the Secret API through the API server, you receive the plaintext secret data.

How to prevent a RAM user or RAM role from enabling or disabling Secret encryption at rest in an existing ACK Edge cluster

You can attach the following RAM policy with a Deny effect to a RAM user or RAM role. This prevents the user or role from enabling or disabling encryption at rest for an existing ACK Edge Pro cluster. For more information, see Use RAM to grant permissions to access clusters and cloud resources.

  {
      "Action": [
          "cs:UpdateKMSEncryption"
      ],
      "Effect": "Deny",
      "Resource": [
          "*"
      ]
  }