Tencent Cloud TKE-KMS Plugin integrates the rich key management features of Key Management Service (KMS) to provide powerful encryption/decryption capabilities for Secret in Kubernetes cluster. This document describes how to encrypt data for Kubernetes cluster via KMS.
Key Management Service (KMS) is a security management solution that leverages a third-party certified hardware security module (HSM) to generate and protect keys so you can easily create and manage keys, helping you to meet your key management and compliance needs in multi-application and multi-business scenarios.
You have created a TKE self-deployed cluster that meets the following conditions:
Note:If you want to check the version, you can go to Cluster Management page and select the cluster ID to go to the Basic Information page to view.
_
, -
, and cannot begin with KMS-
. In this document, we take tke-kms
as an example. Before using TKE for the first time, go to the TencentCloud API Key page to apply for SecretId
and SecretKey
. If you already have them, skip this procedure.
SecretId
/SecretKey
.SecretId
and SecretKey
on Manage API Key page when the creation is completed. See the figure below:Log in to the TKE console and click Cluster in the left sidebar.
On the Cluster Management page, click the ID of the cluster that meet the conditions to go to the cluster details page.
Select Create Via YAML at the top right corner on any interface of the cluster to go to Create Via YAML page. Enter the parameters for tke-kms-plugin.yaml
, as shown below:
Note:Enter values for the following parameters based on the actual needs:
{{REGION}}
: the region where KMS key resides. You can check Region List for the valid values.{{KEY_ID}}
: enter the KMS key ID obtained in the step of creating a KMS key and obtaining the ID.{{SECRET_ID}}
and{{SECRET_KEY}}
: enter the SecretID and SecretKey created in the step of creating and obtaining access key.images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0
: tke-kms-plugin image address. If you want to use the self-created tke-kms-plugin image, you can replace it.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: tke-kms-plugin
namespace: kube-system
spec:
selector:
matchLabels:
name: tke-kms-plugin
template:
metadata:
labels:
name: tke-kms-plugin
spec:
nodeSelector:
node-role.kubernetes.io/master: "true"
hostNetwork: true
restartPolicy: Always
volumes:
- name: tke-kms-plugin-dir
hostPath:
path: /var/run/tke-kms-plugin
type: DirectoryOrCreate
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: tke-kms-plugin
image: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0
command:
- /tke-kms-plugin
- --region={{REGION}}
- --key-id={{KEY_ID}}
- --unix-socket=/var/run/tke-kms-plugin/server.sock
- --v=2
livenessProbe:
exec:
command:
- /tke-kms-plugin
- health-check
- --unix-socket=/var/run/tke-kms-plugin/server.sock
initialDelaySeconds: 5
failureThreshold: 3
timeoutSeconds: 5
periodSeconds: 30
env:
- name: SECRET_ID
value: {{SECRET_ID}}
- name: SECRET_KEY
value: {{SECRET_KEY}}
volumeMounts:
- name: tke-kms-plugin-dir
mountPath: /var/run/tke-kms-plugin
readOnly: false
Click Done and wait for the DaemonSet to be created.
Log in to each Master node of the cluster by referring to Logging in to Linux Instance Using Standard Login Method.
Note:Master node security group defaults to close port 22. You need to open port 22 on the security group interface before logging in to the node. For more information, see Adding a Security Group Rule.
Run the following command to create and open the YAML file.
vim /etc/kubernetes/encryption-provider-config.yaml
Press i to switch to the edit mode and edit the YAML file. Enter the followings according to the K8s version that you actually use:
K8S v1.13+:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
K8S v1.10 - v1.12:
apiVersion: v1
kind: EncryptionConfig
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
After editing is completed, press Esc and enter :wq to save the file and go back.
Run the following command to edit the YAML file.
vi /etc/kubernetes/manifests/kube-apiserver.yaml
Press i to switch to the edit mode and add the followings to args
according to the K8s version you actually use.
Note:Self-deployed cluster of K8s v1.10.5. You need to remove
kube-apiserver.yaml
from the/etc/kubernetes/manifests
directory and move it back to the directory after you have completed the editing.
K8S v1.13+:
--encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
K8S v1.10 - v1.12:
--experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
Add Volume command to /var/run/tke-kms-plugin/server.sock
. The location and content for adding is as follows:
Note:
/var/run/tke-kms-plugin/server.sock
is a unix socket that is listened when tke kms server is launched. kube apiserver will access tke kms server by accessing the socket.
Add the followings for volumeMounts:
:
- mountPath: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
Add the followings for volume:
:
- hostPath:
path: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
When the editing is finished, press Esc, enter :wq and save the /etc/kubernetes/manifests/kube-apiserver.yaml
file. Wait for kube-apiserver to restart.
Log in to the node of the cluster and run the following command to create a Secret.
kubectl create secret generic kms-secret -n default --from-literal=mykey=mydata
Run the following command to verify if the Secret has been decrypted correctly.
kubectl get secret kms-secret -o=jsonpath='{.data.mykey}' | base64 -d
If the output value is mydata
, i.e. it is equal to the value of Secret, it means Secret has been decrypted correctly. See the figure below:
For more information about Kubernetes KMS, see Using a KMS provider for data encryption.
Was this page helpful?