Now Tecnet TKE supporting KMS integration as an option, no need to install the plugin separately.
For details, refer to 使用 KMS 进行 Kubernetes 数据加密
Kubernetes KMS provider plugin for Tencent Cloud - Enable encryption/decryption for Kubernetes secrets by Tencent Cloud Key Management Service
- Kubernetes cluster of version 1.10.0 or later(e.g. TKE standalone clusters of version v1.10.5+)
- Etcd v3 or later
- Clone this repo and cd to
tke-kms-plugin - Build and push image
#such as ccr.ccs.tencentyun.com/<your-project>
REGISTRY=<your-docker-registry-prefix>
VERSION=1.0.0
REGISTRY=$REGISTRY VERSION=$VERSION make image
docker push $REGISTRY/tke-kms-plugin:$VERSION- Create a new key of type
ENCRYPT_DECRYPT(对称加解密) at KMS Console - Create a new CAM Secret at CAM console or use an existing one(The secret should at least be allowed do the following actions :
"kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt"). - Replace following placeholders in tke-kms-plugin.yaml:
{{REGION}}: the region of KMS service, valid values:ap-beijing,ap-guangzhou,ap-shanghai{{KEY_ID}}: the id (in UUID format) of the KMS key you just created{{SECRET_ID}}and{{SECRET_KEY}}: the CAM Secret ID and Key you just created
REGION=<region>
KEY_ID=<your-key-id>
SECRET_ID=<your-secret-id>
SECRET_KEY=<your-secret-key>
sed "s/{{REGION}}/$REGION/g; s/{{KEY_ID}}/$KEY_ID/g; s/{{SECRET_ID}}/$SECRET_ID/g; s/{{SECRET_KEY}}/$SECRET_KEY/g" deployment/tke-kms-plugin.yaml > ds-tke-kms-plugin.yaml
- (Optional) If you prefer to use your own docker image, replace
images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0with your own image. - Create the tke-kms-plugin daemonset:
kubectl apply -f ds-tke-kms-plugin.yaml - Ensure all tke-kms-plugin pods are running:
kubectl get po -n kube-system -l name=tke-kms-plugin
On all masters:
- Create
/etc/kubernetes/encryption-provider-config.yamlwith following content:
Note: For K8s v1.10~v1.13, you can specify the timeout parameter, although it is not supported.
- for K8s v1.13+
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}- for K8s v1.10~v1.12
apiVersion: v1
kind: EncryptionConfig
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
- Edit
/etc/kubernetes/manifests/kube-apiserver.yaml(for TKE standalone clusters. And for TKE v1.10.5, you need to movekube-apiserver.yamlout of/etc/kubernetes/manifestsdirectory, edit and move it back):
-
Add the following flag to
argsarray:- for K8s v1.13+ :
--encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml - for K8s v1.10~v1.12:
--experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
- for K8s v1.13+ :
-
Add volume directives for
/var/run/tke-kms-plugin/server.sock:
...
volumeMounts:
- mountPath: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
...
volumes:
- hostPath:
path: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
... kube-apiserver will restart after you finish editing and save the file /etc/kubernetes/manifests/kube-apiserver.yaml.
1 Create a new secret
kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
2 Verify the secret is correctly decrypted:
kubectl get secret secret1 -o=jsonpath='{.data.mykey}' | base64 -d
The output should be mydata, the same as the value we used to create the secret.
For more infomation about Kubernetes KMS provider, please refer to Using a KMS provider for data encryption