Container Service for Kubernetes (ACK) allows you to use a customer master key (CMK) in Key Management Service (KMS) to encrypt the Secrets of Kubernetes clusters at rest.


ACK provides powerful capabilities in operation orchestration management. It obtains Secrets such as passwords, certificates, credentials, and access keys across products, services, and modules. ACK uses Secret modules to store and manage the sensitive information of Kubernetes clusters and that of business applications in the clusters. It also stores sensitive information in etcd. The replication feature of etcd supports distributed storage.

A Kubernetes cluster in the initialized state (without business load) has about 50 Secrets. The leak of a Secret may cause immeasurable loss to the cluster, the business system, or even the entire enterprise. Therefore, you must protect the Secrets stored in Kubernetes clusters.

Encryption mechanism

Professional managed Kubernetes clusters allow you to use a CMK in KMS to encrypt Secrets. The KMS provider mechanism of Kubernetes is used during encryption. A KMS provider uses envelope encryption to encrypt or decrypt the keys of Secrets that are stored in etcd. For more information about envelope encryption, see Use envelope encryption to encrypt and decrypt local data Procedures of key encryption and decryption:
  • When you store a Kubernetes Secret by using Kubernetes Secret API, the API server generates a random data key to encrypt your business key. Then, the system uses a CMK in KMS to encrypt the data key and store the cyphertext of the data key in etcd.
  • When you decrypt the Kubernetes Secret, the system calls the Decrypt operation of KMS to decrypt the data key first. Then, the system uses the plaintext of the data key to decrypt the Kubernetes Secret and returns the decrypted Secret.


  • The Alibaba Cloud account within which you use ACK is assigned the AliyunCSManagedSecurityRole role. If you use an Alibaba Cloud account that is not assigned the role to enable Secret encryption at rest for a new or existing professional managed Kubernetes cluster, you are prompted to assign the role to the Alibaba Cloud account first.
  • The RAM user that you use to log on to the ACK console is granted the AliyunKMSCryptoAdminAccess permission. For more information, see Grant permissions to a RAM user.
  • A CMK is created in the KMS console. For more information, see Create a CMK.
    Note Only CMKs of the Aliyun_AES_256 type are supported.

Create a professional managed Kubernetes cluster and enable Secret encryption at rest

  1. Log on to the ACK console.
  2. In the left-side navigation pane, click Clusters.
  3. In the upper-right corner of the Clusters page, click Cluster Template.
  4. In the Select Cluster Template dialog box, select Professional Managed Kubernetes Cluster and click Create.
  5. On the Managed Kubernetes tab, find Secret Encryption, select Select Key, and then select a CMK ID from the drop-down list.
  6. Set other parameters by following the on-screen instructions.
    For more information, see Create an ACK Pro cluster.

Enable Secret encryption at rest for an existing professional managed Kubernetes cluster

  1. On the Clusters page, click the name of the professional managed Kubernetes cluster for which you want to enable Secret encryption at rest.
  2. Click the Basic Information tab. In the Basic Information section, turn on Secret Encryption.
  3. In the Secret Encryption dialog box, select a CMK ID from the Existing Key drop-down list and click OK.
    If the status of the cluster changes from Updating to Running, Secret encryption at rest is enabled for the cluster.


If you can find encryption or decryption events performed by the AliyunCSManagedSecurityRole role on the Event Detail Query page of the ActionTrail console, Secret encryption at rest is enabled for the cluster. You can view all the KMS CMK calling records in the ActionTrail console.