Using KMS to Encrypt Secrets

Huawei Cloud Data Encryption Workshop (DEW) provides secure, easy-to-use Key Management Service (KMS). With KMS keys, you can encrypt Kubernetes secrets stored in CCE to safeguard sensitive data for your applications.

Secret encryption is only available for creating CCE standard and Turbo clusters. It cannot be enabled for existing clusters and cannot be disabled once it has been enabled.
This function is being deployed. For details about the regions where this function is available, see the console.

KMS Data Encryption

Kubernetes clusters often use secrets to manage and store sensitive data for service applications, including passwords, TLS certificates, and Docker image download credentials. All secret data in Kubernetes is stored in the etcd of the target cluster.

In CCE clusters, Kubernetes secrets can be encrypted using KMS keys. KMS encryption uses the KMS Encryption Provider mechanism offered by Kubernetes and envelope encryption to automatically secure Kubernetes secrets stored in etcd. For details, see Using a KMS provider for data encryption.

Prerequisites

Make that you have created a KMS key on Huawei Cloud DEW and both the key and your CCE cluster are in the same region.

If you have enabled secret encryption, do not disable or delete the key selected during cluster creation using the DEW console or open APIs. Otherwise, the cluster API server may become unavailable, which can affect the proper running of service applications.
Make sure that your account has granted the cce_trust_kms agency permission to CCE. This agency is used by CCE clusters to obtain, encrypt, and decrypt keys. You can grant this permission during the dependency check when using secret encryption for the first time.

Do not delete the agency. Otherwise, the cluster with secret encryption enabled will be unavailable.

Enabling Secret Encryption

Log in to the CCE console.
On the Clusters page, click Buy Cluster in the upper right corner.
In the lower part of the page, expand Advanced Settings, locate Secret Encryption, and enable it.

Choose a custom key or default key.
Configure other parameters by referring to Buying a CCE Standard/Turbo Cluster and create the cluster.
After the cluster is created, click the cluster name to go to the cluster page. In the navigation pane, choose Settings. In the Cluster Settings area on the Dashboard page, verify that secret encryption has been enabled.

Using an Automatic Rotation Key to Enable Secret Encryption

You can use KMS automatic rotation to encrypt secrets. If automatic key rotation is used, your existing secrets will still be encrypted with the previous key, but any new secrets will be encrypted with the updated key.

To encrypt existing secrets with the updated key after the key is automatically rotated, run the following command:

kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - encryption-key-rotation-time="$(date -u +'%Y-%m-%dT%H:%M:%S%z')"

Parent Topic: Buying a Cluster

Previous topic: Using Edge Cloud Resources in a Remote CCE Turbo Cluster

Next topic: Comparing iptables and IPVS

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot