You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: kubernetes/README.md
+38Lines changed: 38 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -655,6 +655,44 @@ volumeBindingMode: WaitForFirstConsumer # How volumes of this class are provisio
655
655
kubectl create -f secrets-db-secret.yml
656
656
```
657
657
658
+
- Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. Additionally, anyone who is authorized to create a Pod in a namespace can use that access to read any Secret in that namespace; this includes indirect access such as the ability to create a Deployment.
659
+
- [Enable Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) for Secrest.
660
+
- Generate encryption keys: Create strong encryption keys using a secure method. Algorithms like AES-GCM are recommended for both confidentiality and integrity.
661
+
662
+
```shell
663
+
# Linux
664
+
# Generate a 32-byte random key and base64 encode it.
665
+
# Keep the encryption key confidential, including while you generate it and ideally even after you are no longer actively using it.
666
+
head -c 32 /dev/urandom | base64
667
+
```
668
+
669
+
- Create encryption configuration file: Configure the Kubernetes API server by creating encryption configuration file. This file specifies the resources to encrypt (like `secrets`), the encryption providres (e.g., `aescbc`), and they keys used for encryption.
670
+
671
+
```yaml
672
+
---
673
+
apiVersion: apiserver.config.k8s.io/v1
674
+
kind: EncryptionConfiguration
675
+
resources:
676
+
- resources:
677
+
- secrets
678
+
- configmaps
679
+
- pandas.awesome.bears.example
680
+
providers:
681
+
- aescbc:
682
+
keys:
683
+
- name: key1
684
+
# See the following text for more details about the secret value
685
+
secret: <BASE 64 ENCODED SECRET>
686
+
- identity: {} # this fallback allows reading unencrypted secrets;
687
+
# for example, during initial migration
688
+
```
689
+
690
+
- Use the new encryption configuration file: You will need to mount the new encryption config file to the kube-apiserver static pod.
691
+
692
+
- [Enable or configure RBAC rules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) with least-privilege access to Secrets.
693
+
- Restrict Secret access to specific containers.
694
+
- [Consider using external Secret store providers](https://secrets-store-csi-driver.sigs.k8s.io/concepts.html#provider-for-the-secrets-store-csi-driver).
695
+
658
696
### 3.9. Namespaces
659
697
660
698
- The name of a resource is a unique identifier with a namespace in the Kubernetes cluster. Using a Kubernetes namepsace could isolate namespaces for different environments in the same cluster.
0 commit comments