Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cluster): add encryptionConfigKeyArn opt to encrypt k8s Secrets #389

Merged
merged 1 commit into from
May 12, 2020
Merged

feat(cluster): add encryptionConfigKeyArn opt to encrypt k8s Secrets #389

merged 1 commit into from
May 12, 2020

Conversation

metral
Copy link
Contributor

@metral metral commented May 9, 2020
edited
Loading

Proposed changes

EKS supports envelope encryption for Kubernetes Secrets that use an AWS
KMS key to sign the Secrets in etcd.

A new cluster option encryptionConfigKeyArn is being added that allows
the configuration of a KMS key ARN to be provided for establishing the
cluster's encryption configuration.

Note: the encryption configuration becomes a core part of the cluster's
configuration. Any changes to its settings will require rebuilding a new cluster
and nodes.

See for more details from AWS.

Related issues (optional)

Closes #384

@metral metral force-pushed the metral/encrypt-config branch 3 times, most recently from f8c4691 to 344f6e8 Compare May 9, 2020 01:28
lblackstone
lblackstone requested changes May 11, 2020
View reviewed changes
nodejs/eks/cluster.ts Outdated Show resolved Hide resolved
nodejs/eks/cluster.ts Outdated Show resolved Hide resolved
nodejs/eks/examples/encryption-provider/index.ts Show resolved Hide resolved
@metral metral requested a review from lblackstone May 11, 2020 21:40
@metral
feat(cluster): add encryptionConfigKeyArn opt to encrypt k8s Secrets
6d28d00 
EKS supports envelope encryption for Kubernetes Secrets that use an AWS
KMS key to sign the Secrets in etcd.

A new cluster option `encryptionConfigKeyArn` is being added that allows
the configuration of a KMS key ARN to be provided for establishing the
cluster's encryption configuration.

Note: the encryption configuration becomes a core part of the cluster's
configuration. Any changes to its settings will require rebuilding a new cluster
and nodes.

See for more details.
https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/
@metral metral merged commit 537820c into master May 12, 2020
@pulumi-bot pulumi-bot deleted the metral/encrypt-config branch May 12, 2020 16:24
@metral metral mentioned this pull request May 12, 2020
Closed
@steveellis steveellis mentioned this pull request Nov 3, 2021
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lblackstone lblackstone lblackstone approved these changes

@lukehoban lukehoban Awaiting requested review from lukehoban

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add 'clusterencryptionconfig' to pulumi/eks
2 participants
@metral @lblackstone