All Products
Search

This Product

    Container Service for Kubernetes:Use KMS to encrypt Kubernetes Secrets

    Document Center

    Container Service for Kubernetes:Use KMS to encrypt Kubernetes Secrets

    Last Updated:Oct 19, 2023

    In a Container Service for Kubernetes (ACK) edge Pro cluster, you can use a key that is created by using Key Management Service (KMS) to encrypt Kubernetes Secrets. This topic describes how to use a key that is managed by KMS to encrypt Secrets for an ACK Edge Pro cluster.

    Prerequisites

    • A customer master key (CMK) is created in the KMS console. For more information, see Create a CMK.

      Note

      ACK Edge Pro cluster support only CMKs of the Aliyun_AES_256 type.

    • After you enable Secret encryption, do not use the KMS API or the KMS console to disable or delete the CMK that is used to encrypt and decrypt Secrets, or create a schedule to delete the CMK. Otherwise, the API server becomes unavailable and cannot retrieve Secrets and service accounts. As a result, service interruptions occur.

    • Your Alibaba Cloud account is authorized to assume the AliyunCSManagedSecurityRole role. If your Alibaba Cloud account is not authorized to assume the AliyunCSManagedSecurityRole role, the system prompts you to complete the authorization first when you enable Secret encryption for a new ACK Edge Pro cluster or an existing ACK Edge Pro cluster.

    • If you log on to the ACK console with a Resource Access Management (RAM) user or RAM role, make sure that the RAM user or RAM role is attached with the AliyunKMSCryptoAdminAccess policy. For more information, see Attach a RAM policy to a RAM user or RAM role.

    • You are charged by KMS for key management and API calls (on a per 10,000 calls basis). After Secret encryption is enabled for an ACK Pro cluster, kube-apiserver must call the encryption and decryption API operations of KMS to perform read and write operations on Secrets. In most cases, a large number of read and write operations on Secrets are required during the lifecycle of service accounts, which may incur a large amount of fees in API calls. This situation intensifies when your cluster contains a large number of service accounts or Secrets. We recommend that you keep a sufficient account balance. If you are not familiar with the pricing rules or your account balance is insufficient, you can disable Secret encryption for the cluster. For more information, see Disable Secret encryption for an existing ACK Edge Pro cluster. If your account has been overdue for more than seven days, you cannot manage the cluster. For more information about KMS billing, see Billing of KMS.

    Background information

    Kubernetes Secrets are used to store and manage sensitive data, such as passwords to applications, Transport Layer Security (TLS) certificates, and credentials to download Docker images. Kubernetes stores Secrets in the etcd of a cluster. For more information about Kubernetes Secretes, see Secrets.

    You can use keys that are created in KMS to encrypt Secrets in ACK edge clusters. KMS uses envelop encryption to encrypt and decrypt Secrets that are stored in etcd based on the KMS encryption provider. For more information about envelope encryption, see Use envelope encryption to encrypt and decrypt local data. The following content explains how to encrypt and decrypt Kubernetes Secrets:

    • When you use a Kubernetes Secret to encrypt and store a password, the Kubernetes API server of your cluster generates a random data encryption key (DEK) to encrypt the Secret. Then, the API server sends the DEK to KMS. KMS uses the key that you specify to encrypt the DEK and returns the encrypted DEK to the API server. The API server then stores the encrypted Secret and DEK in etcd.

    • When you decrypt the Kubernetes Secret, the system calls the Decrypt API operation of KMS to decrypt the DEK. Then, the system uses the decrypted DEK to decrypt the Kubernetes Secret and returns the password.

    Enable Secrete encryption when you create an ACK Edge Pro cluster

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. In the upper-right corner of the Clusters page, click Create Kubernetes Cluster.

    4. Click the Managed Edge Kubernetes tab.

    5. On the Managed Edge Kubernetes tab, find Secret Encryption, select Select Key, and then select a key from the drop-down list. For more information about how to configure an ACK Edge Pro cluster, see Create an ACK Edge Pro cluster.

      Cluster

      Log on to the ActionTrail console. In the left-side navigation pane, click Event Detail Query. On the Event Detail Query page, check for encryption and decryption operations that are performed by assuming the aliyuncsmanagedsecurityrole role. If these operations exist, the Secret encryption feature is enabled. Check the result

    Enable Secret encryption for an existing ACK Edge Pro cluster

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, click the name of the ACK Edge Pro cluster for which you want to enable Secret encryption.

    4. On the details page of the cluster, click the Basic Information tab. In the Basic Information section, turn on Secret Encryption.

      Note

      If you log on to the ACK console with a RAM user, make sure that the RAM user is assigned one of the following role-based access control (RBAC) roles: the administrator role or O&M engineer role. For more information, see Grant RBAC permissions to RAM users or RAM roles.

    5. In the Secret Encryption dialog box, select an existing key. Click OK.

      If no key is available, click create keys to create a key in the KMS console. For more information, see Create a CMK.

      If the status of the cluster changes from Updating to Running, the Secret encryption feature is enabled for the cluster.

    Disable Secret encryption for an existing ACK Edge Pro cluster

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, click the name of the ACK Edge Pro cluster for which you want to disable Secret encryption.

    4. On the details page of the cluster, click the Basic Information tab. In the Basic Information section, turn off Secret Encryption.

      Note

      If you log on to the ACK console with a RAM user, make sure that the RAM user is assigned one of the following RBAC roles: the administrator role or O&M engineer role. For more information, see Grant RBAC permissions to RAM users or RAM roles.

      If the status of the cluster changes from Updating to Running, the Secret encryption feature is disabled for the cluster.

    Use automatic key rotation to encrypt Secrets

    You can use the automatic key rotation feature provided by KMS to encrypt Secrets. During a key rotation, the system uses the original key to encrypt existing Secrets and uses the new key to encrypt new Secrets. For more information about automatic key rotation, see Configure key rotation.

    To force the system to use the new key to encrypt existing Secrets, run the following command after the key is rotated: 

    kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - encryption-key-rotation-time="$(date -u +'%Y-%m-%dT%H:%M:%S%z')"