-
Notifications
You must be signed in to change notification settings - Fork 313
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EKS: Envelope Encryption of Kubernetes Secrets #530
Comments
@tabern What about supporting an AWS-managed KMS key? We would like envelope encryption, without managing the key ourselves. Is that included in this? |
@kekoav yes - we're planning to allow two modes. In the first mode, you request encryption but don't provide a key. EKS will create a managed KMS key in your account and associate it to the cluster. In the second mode, you can create a KMS key yourself and then pass the ARN to the cluster. |
@tabern Any plans to make k8s secrets be backed or synced with AWS secret manager ? |
@tabern I'd like to check if we have an ETA for rolling out this feature as this is affecting our roadmap of managing applications in EKS. Thanks. |
Hi everyone, Amazon EKS now supports envelope encryption of K8s secrets using AWS KMS keys! How it worksEnvelope encryption for secrets is available for new Amazon EKS clusters running Kubernetes version 1.13 and above. You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster. When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the linked AWS KMS key. More details: |
hi @tabern,
How about the running clusters? |
hi If there is an option to enable encryption like in S3 without generating any KMS keys by myself, that would be nice. |
Support for this functionality has been merged into the Terraform AWS Provider and will release with version 2.52.0, later today. |
Does anyone know why the apiserver locally generates the DEK, as opposed to calling |
Does anyone know what policy and which role to assign the KMS key usage to? When I added the encryption configuration to the same setup process (Terraform), EKS didn't create nodes. Regarding the role, I mean is it for cluster role, for node role? |
Update on this feature, on 3/1 we added support for encrypting existing, running clusters. @khacminh |
Kubernetes supports the ability to enable envelope encryption of Kubernetes secrets using a customer managed key (CMK).
To support a defense-in-depth strategy, we plan to enable the AWS Encryption Provider on EKS and allow you to provide a AWS KMS CMK that will be used for envelope encryption of Kubernetes secrets on the cluster.
Note This feature will provide an additional security layer for customers using Kubernetes secrets. All secrets and other data stored in the etcd for all EKS clusters is encrypted at rest today. https://docs.aws.amazon.com/en_us/eks/latest/userguide/clusters.html and #263
Update 3/5/20 » this feature is now live!
The text was updated successfully, but these errors were encountered: