In Container Compute Service (ACS) clusters, you can use keys that are created in Key Management Service (KMS) to encrypt Kubernetes Secrets. This topic describes how to use a key that is managed by KMS to encrypt Secrets for an ACS cluster.
Prerequisites
A KMS key is created in the KMS console. The key belongs to the region where your ACS cluster resides.
ImportantTo use Secret encryption, make sure that the version of your ACS cluster is 1.28 or later.
The following requirements must be met:
If you use an Alibaba Cloud account, the account must be authorized to assume the AliyunCCManagedSecurityRole role. Otherwise, the ACS console prompts you to perform the authorization when you enable Secret encryption. You can also go to the Cloud Resource Access Authorization page to complete the authorization.
If you use a Resource Access Management (RAM) user or RAM role:
The RAM user or RAM role must be granted administrator or O&M engineer permissions on the ACS cluster. For more information, see Grant RBAC permissions to RAM users or RAM roles.
The RAM user or RAM role must be granted the AliyunKMSCryptoAdminAccess permission. For more information, see Attach a RAM policy to a RAM user or RAM role.
Overview of Secret encryption
Kubernetes Secrets are used to store and manage sensitive data, such as the passwords of applications, Transport Layer Security (TLS) certificates, and credentials to download Docker images. Kubernetes stores Secrets in the etcd of a cluster. For more information, see Secrets.
ACS clusters use the open source KMS v2 API to implement Secret encryption, which enables you to manage large numbers of Secrets in your cluster and encrypt or decrypt Secrets. ACS clusters support default keys, software-protected keys, and hardware-protected keys. For more information about the key management feature of KMS, see Getting started with Key Management. For more information about KMS billing, see Billing.
After you enable Secret encryption, do not use the KMS API or the KMS console to disable or delete the key that is used to encrypt and decrypt Secrets. Otherwise, the API server becomes unavailable and cannot retrieve Secrets or service account objects. Consequently, service interruptions occur.
For more information, see The KMS provider and Use envelope encryption.
Enable Secret encryption for an ACS cluster
Enable Secret encryption when you create an ACS cluster
Log on to the ACS console. In the left-side navigation pane, click Clusters.
In the upper-left corner of the Clusters page, click Create Cluster.
Click Show Advanced Options at the bottom of the page. Find Secret Encryption, select Select Key, and then select a key from the drop-down list. Configure other parameters on demand and click Confirm Order. For more information about other parameters, see Create an ACS cluster.
Log on to the ActionTrail console. In the left-side navigation pane, click Event Detail Query. On the Event Detail Query page, check for encryption and decryption operations that are performed by assuming the aliyuncsmanagedsecurityrole role. If these operations exist, the Secret encryption feature is enabled.
If the Secret encryption feature is no longer required, click the name of the cluster that you want to manage in the cluster list. On the Cluster Information page, click the Basic Information tab. In the Security and Audit section, turn off Secret Encryption.
Enable Secret encryption for an existing ACS cluster
Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane of the cluster details page, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Security and Audit section, turn on Secret Encryption.
In the Secret Encryption dialog box, select an existing key and click OK.
If you have not created a key in KMS, click create keys to go to the KMS console to create one. For more information, see Create a CMK.
If the status of the cluster changes from Updating to Running, the Secret encryption feature is enabled for the cluster.
If you no longer need the Secret encryption feature, you can turn off Secret Encryption in the Security and Audit section.
Use automatic key rotation to encrypt Secrets
You can use the automatic key rotation feature provided by KMS to encrypt Secrets. During a key rotation, the system uses the original key to encrypt existing Secrets and uses the new key to encrypt new Secrets. For more information about automatic key rotation, see Configure key rotation.
To force the system to use the new key to encrypt existing Secrets, run the following command after the key is rotated:
kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - encryption-key-rotation-time="$(date -u +'%Y-%m-%dT%H:%M:%S%z')"FAQ
After Secret encryption is enabled, is ciphertext returned if I use kubectl to query a Secret?
No. After Secret encryption is enabled, plaintext is returned if you use kubectl to query a Secret. The Secret encryption feature encrypts the Secrets that are stored in the etcd. After you enable Secret encryption, Secrets are stored in the etcd as ciphertext. However, if you use a kubectl client to query a Secret by calling the Secret API provided by the API server of the cluster, plaintext is returned for the Secret.
How do I prohibit RAM users or RAM roles from enabling or disabling the Secret encryption feature for existing ACS clusters?
To prohibit RAM users or RAM roles from enabling or disabling the Secret encryption feature for existing ACS clusters, attach the following policy to the RAM user or RAM role. For more information, see Attach a RAM policy to a RAM user or RAM role.
{
"Action": [
"cs:UpdateKMSEncryption"
],
"Effect": "Deny",
"Resource": [
"*"
]
}