In professional serverless Kubernetes (ASK) clusters, you can use keys that are created in Key Management Service (KMS) to encrypt Kubernetes Secrets. This topic describes how to use a key that is managed by KMS to encrypt Secrets for a professional ASK cluster.

Prerequisites

  • A customer master key (CMK) is created in the KMS console. For more information, see Create a CMK.
    Note ACK Pro clusters support only CMKs of the Aliyun_AES_256 type and do not support automatic rotation of CMKs.
  • The current account is authorized to assume the AliyunCSManagedSecurityRole role. Otherwise, the system prompts you to perform the authorization when you enable Secret encryption.
  • If you log on to the console as a Resource Access Management (RAM) user, you must make sure that the RAM user is authorized to assume the AliyunCSManagedSecurityRole role. For more information, see Grant permissions to a RAM user.
  • You are charged by KMS for key management and API calls (on a per 10,000 calls basis). After Secret encryption is enabled for the ACK Pro cluster, kube-apiserver must call the encryption and decryption API operations of KMS to perform read and write operations on Secrets. Make sure that your account balance is sufficient. If your account has been overdue for seven days, you cannot manage the cluster. For more information about how KMS is billed, see Billing.

Background information

Kubernetes Secrets are used to store and manage sensitive data, such as passwords to applications, Transport Layer Security (TLS) certificates, and credentials to download Docker images. Kubernetes stores Secrets in etcd of the cluster. For more information, see Secrets.

ACK Pro clusters allow you to use a key created in KMS to encrypt Secrets. The KMS provider mechanism of Kubernetes is used during encryption. A KMS provider uses envelope encryption to encrypt or decrypt the keys of Secrets that are stored in etcd. Procedures of Secret encryption and decryption:
  • When you use a Kubernetes Secret to encrypt and store a password, the Kubernetes API server of the cluster generates a random data encryption key (DEK) to encrypt the Secret. Then, the API server sends the DEK to KMS. KMS uses the specified key to encrypt the DEK and returns the encrypted DEK to the API server. Then, the API server stores the encrypted Secret and DEK in etcd.
  • When you decrypt the Kubernetes Secret, the system calls the Decrypt operation of KMS to decrypt the data key first. Then, the system uses the plaintext of the data key to decrypt the Kubernetes Secret and returns the decrypted Secret.

For more information, see KMS Encryption Provider mechanism and What is envelope encryption?.

Note Secret encryption is supported only by existing professional ASK clusters. This feature cannot be enabled in newly created professional ASK clusters.

Enable Secret encryption for an existing professional ASK cluster

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, click the name of the professional ASK cluster for which you want to enable Secret encryption.
  4. On the details page of the cluster, click the Basic Information tab. In the Basic Information section, turn on Secret Encryption.
    Note If you log on to the console as a Resource Access Management (RAM) user, make sure that the RAM user is assigned the administrator role or O&M engineer role to manage the cluster. For more information, see Assign RBAC roles to RAM users.
    If the status of the cluster changes from Updating to Running, the Secret encryption feature is enabled for the cluster.

Disable Secret encryption for an existing professional ASK cluster

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, click the name of the professional ASK cluster for which you want to disable Secret encryption.
  4. On the details page of the cluster, click the Basic Information tab. In the Basic Information section, turn off Secret Encryption.
    Note If you log on to the console as a RAM user, make sure that the RAM user is assigned the administrator role or O&M engineer role to manage the cluster. For more information, see Assign RBAC roles to RAM users.
    If the status of the cluster changes from Updating to Running, the Secret encryption feature is disabled for the cluster.