tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Kubernetes Engine
    Documentation
    Download PDF

    Using KMS for Kubernetes Data Source Encryption

    Last updated: 2024-12-13 17:23:09
    Download PDF

      Overview

      Tencent Cloud TKE-KMS Plugin integrates the rich key management features of Key Management Service (KMS) to provide powerful encryption/decryption capabilities for Secret in Kubernetes cluster. This document describes how to encrypt data for Kubernetes cluster via KMS.

      Concepts

      Key Management Service (KMS)

      Key Management Service (KMS) is a security management solution that leverages a third-party certified hardware security module (HSM) to generate and protect keys so you can easily create and manage keys, helping you to meet your key management and compliance needs in multi-application and multi-business scenarios.

      Prerequisites

      You have created a TKE self-deployed cluster that meets the following conditions:
      Kubernetes v1.10.0 or later.
      Etcd v3.0 or later.
      Note:
      If you want to check the version, you can go to Cluster Management page and select the cluster ID to go to the Basic Information page to view.

      Directions

      Creating a KMS key and obtaining the ID

      1. Log in to the KMS Console, and go to Customer Managed CMK page.
      2. At the top of the Customer Managed CMK page, select the region for which you want to create a key, and click Create.
      3. On the pop-up window, configure the parameters according to the following information, as shown below:
      
      The key parameters are as follows. Retain the default settings for other parameters.
      Key Name: this is required and must be unique within the region. It can contain letters, numbers, _, -, and cannot begin with KMS-. In this document, we take tke-kms as an example.
      Description: this is optional and used to specify the type of data to be protected, or the application to be used in conjunction with the CMK.
      Key Usage: select Symmetric encryption and decryption.
      Key Material Source: select KMS or External based on the actual needs. In this document, we take KMS as an example.
      4. Click OK to go back to Customer Managed CMK page to view the created keys.
      5. Click the key ID to go to Key Information page, you can view the complete ID of the key on this page. See the figure below:
      

      Creating and obtaining access key

      Before using TKE for the first time, go to the TencentCloud API Key page to apply for SecretId and SecretKey. If you already have them, skip this procedure.
      1. Log in to the CAM console and select Access Key > Manage API Key in the left sidebar to go to the Manage API Key page.
      2. On the Manage API Key page, click Create Key to create a pair of SecretId/SecretKey.
      3. You can check the key’s information including SecretId and SecretKey on Manage API Key page when the creation is completed. See the figure below:
      

      Creating a DaemonSet and deploying tke-kms-plugin

      1. Log in to the TKE console and click Cluster in the left sidebar.
      2. On the Cluster Management page, click the ID of the cluster that meet the conditions to go to the cluster details page.
      3. Select Create Via YAML at the top right corner on any interface of the cluster to go to Create Via YAML page. Enter the parameters for tke-kms-plugin.yaml, as shown below:
      Note:
      Enter values for the following parameters based on the actual needs:
      {{REGION}}: the region where KMS key resides. You can check Region List for the valid values.
      {{KEY_ID}}: enter the KMS key ID obtained in the step of creating a KMS key and obtaining the ID.
      {{SECRET_ID}} and {{SECRET_KEY}}: enter the SecretID and SecretKey created in the step of creating and obtaining access key.
      images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0: tke-kms-plugin image address. If you want to use the self-created tke-kms-plugin image, you can replace it.
      apiVersion: apps/v1
      kind: DaemonSet
      metadata:
        name: tke-kms-plugin
        namespace: kube-system
      spec:
        selector:
       matchLabels:
         name: tke-kms-plugin
        template:
       metadata:
         labels:
           name: tke-kms-plugin
       spec:
         nodeSelector:
           node-role.kubernetes.io/master: "true"
         hostNetwork: true
         restartPolicy: Always
         volumes:
           - name: tke-kms-plugin-dir
             hostPath:
               path: /var/run/tke-kms-plugin
               type: DirectoryOrCreate
         tolerations:
           - key: node-role.kubernetes.io/master
             effect: NoSchedule
         containers:
           - name: tke-kms-plugin
             image: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0
             command:
               - /tke-kms-plugin
               - --region={{REGION}}
               - --key-id={{KEY_ID}}
               - --unix-socket=/var/run/tke-kms-plugin/server.sock
               - --v=2
             livenessProbe:
               exec:
                 command:
                   - /tke-kms-plugin
                   - health-check
                   - --unix-socket=/var/run/tke-kms-plugin/server.sock
               initialDelaySeconds: 5
               failureThreshold: 3
               timeoutSeconds: 5
               periodSeconds: 30
             env:
               - name: SECRET_ID
                 value: {{SECRET_ID}}
               - name: SECRET_KEY
                 value: {{SECRET_KEY}}
             volumeMounts:
               - name: tke-kms-plugin-dir
                 mountPath: /var/run/tke-kms-plugin
                 readOnly: false
      4. Click Done and wait for the DaemonSet to be created.

      Configuring kube-apiserver

      1. Log in to each Master node of the cluster by referring to Logging in to Linux Instance Using Standard Login Method.
      Note:
      Master node security group defaults to close port 22. You need to open port 22 on the security group interface before logging in to the node. For more information, see Adding a Security Group Rule.
      2. Run the following command to create and open the YAML file. 
      vim /etc/kubernetes/encryption-provider-config.yaml
      3. Press i to switch to the edit mode and edit the YAML file. Enter the followings according to the K8s version that you actually use:
      K8S v1.13+:
         apiVersion: apiserver.config.k8s.io/v1
         kind: EncryptionConfiguration
         resources:
       - resources:
           - secrets
         providers:
           - kms:
               name: tke-kms-plugin
               timeout: 3s
               cachesize: 1000
               endpoint: unix:///var/run/tke-kms-plugin/server.sock
           - identity: {}
      K8S v1.10 - v1.12:
      apiVersion: v1
      kind: EncryptionConfig
      resources:
        - resources:
            - secrets
          providers:
            - kms:
                name: tke-kms-plugin
                timeout: 3s
                cachesize: 1000
                endpoint: unix:///var/run/tke-kms-plugin/server.sock
            - identity: {}
      4. After editing is completed, press Esc and enter :wq to save the file and go back.
      5. Run the following command to edit the YAML file. 
      vi /etc/kubernetes/manifests/kube-apiserver.yaml
      6. Press i to switch to the edit mode and add the followings to args according to the K8s version you actually use.
      Note:
      Self-deployed cluster of K8s v1.10.5. You need to remove kube-apiserver.yaml from the /etc/kubernetes/manifests directory and move it back to the directory after you have completed the editing.
      K8S v1.13+:
       --encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
      K8S v1.10 - v1.12:
      --experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
      7. Add Volume command to /var/run/tke-kms-plugin/server.sock. The location and content for adding is as follows:
      Note:
      /var/run/tke-kms-plugin/server.sock is a unix socket that is listened when tke kms server is launched. kube apiserver will access tke kms server by accessing the socket.
      Add the followings for volumeMounts::
      - mountPath: /var/run/tke-kms-plugin
        name: tke-kms-plugin-dir
      Add the followings for volume::
      - hostPath:
          path: /var/run/tke-kms-plugin
        name: tke-kms-plugin-dir
      8. When the editing is finished, press Esc, enter :wq and save the /etc/kubernetes/manifests/kube-apiserver.yaml file. Wait for kube-apiserver to restart.

      Verification

      1. Log in to the node of the cluster and run the following command to create a Secret. 
      kubectl create secret generic kms-secret -n default --from-literal=mykey=mydata
      2. Run the following command to verify if the Secret has been decrypted correctly. 
      kubectl get secret kms-secret -o=jsonpath='{.data.mykey}' | base64 -d
      3. If the output value is mydata, i.e. it is equal to the value of Secret, it means Secret has been decrypted correctly. See the figure below:
      

      References

      For more information about Kubernetes KMS, see Using a KMS provider for data encryption.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy