You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Per default, Kubernetes secrets resources are not encrypted at rest. The values within the secrets are encoded with base64 which is not an encryption. AKS supports an KMS etcd encryption which is disabled by default. More information about this can be found in the official Azure documentation here.
The Azure classic provider seems to support the KMS etcd encryption using the keyManagementService attribute as documented here.
I'm not very familiar with this particual integration. The Azure Native documentation link you sent looks like the right setting - SecurityProfile.AzureKeyVaultKms looks equivilent to the classic KeyManagementService properties. Both contain an identifier for the key vault and the key.
Have you tried using this setting and run into issues?
On adding further examples, these are currently auto-generated from the Azure specification, but it might be possible to add additional hand-written examples in the future too if that's the remaining ask here.
using the SecurityProfile with the azureKeyVaultKms was exactly what I was searching for. I could activate the etcd encryption by adding this block to the ManagedCluster resource:
I find the following description in the documentation misleading because I thought this was about a general KMS configuration for the security profile whatever that means:
But the link in the description actually leads to a k8s documentation with the titel "Using a KMS provider for data encryption".
Anyway the feature is there. The docs (description and examples) can be improved. I'll update the description to avoid confusion.
ArtunSubasiStihl
changed the title
Support the configuration of KMS etcd encryption for an AKS cluster
Improve the documentation for the configuration of KMS etcd encryption for an AKS cluster
Apr 10, 2024
Hello!
Issue details
Per default, Kubernetes secrets resources are not encrypted at rest. The values within the secrets are encoded with base64 which is not an encryption. AKS supports an KMS etcd encryption which is disabled by default. More information about this can be found in the official Azure documentation here.
The Azure classic provider seems to support the KMS etcd encryption using the
keyManagementService
attribute as documented here.If I am not mistaken, the ManagedCluster resource in the azure-native provider does not support to configure the KMS etcd encryption and I would really love to have this feature.Update: It is indeed supported as suggested in @danielrbradley comment below.
If it is supported, it would be great to have documentation and examples about this feature.
Affected area/feature
The text was updated successfully, but these errors were encountered: