Container Service for Kubernetes (ACK) allows you to use a customer master key (CMK) in Key Management Service (KMS) to encrypt the Secrets of Kubernetes clusters at rest.
Scenarios
ACK provides powerful capabilities in operation orchestration management. It obtains Secrets such as passwords, certificates, credentials, and access keys across products, services, and modules. ACK uses Secret modules to store and manage the sensitive information of Kubernetes clusters and that of business applications in the clusters. It also stores sensitive information in etcd. The replication feature of etcd supports distributed storage.
A Kubernetes cluster in the initialized state (without business load) has about 50 Secrets. The leak of a Secret may cause immeasurable loss to the cluster, the business system, or even the entire enterprise. Therefore, you must protect the Secrets stored in Kubernetes clusters.
Encryption mechanism
- When you store a Kubernetes Secret by using Kubernetes Secret API, the API server generates a random data key to encrypt your business key. Then, the system uses a CMK in KMS to encrypt the data key and store the cyphertext of the data key in etcd.
- When you decrypt the Kubernetes Secret, the system calls the Decrypt operation of KMS to decrypt the data key first. Then, the system uses the plaintext of the data key to decrypt the Kubernetes Secret and returns the decrypted Secret.
Prerequisites
- The Alibaba Cloud account within which you use ACK is assigned the AliyunCSManagedSecurityRole role. If you use an Alibaba Cloud account that is not assigned the role to enable Secret encryption at rest for a new or existing professional managed Kubernetes cluster, you are prompted to assign the role to the Alibaba Cloud account first.
- The RAM user that you use to log on to the ACK console is granted the AliyunKMSCryptoAdminAccess permission. For more information, see Grant permissions to a RAM user.
- A CMK is created in the KMS console. For more information, see Create a CMK.
Note Only CMKs of the Aliyun_AES_256 type are supported.
Create a professional managed Kubernetes cluster and enable Secret encryption at rest
Enable Secret encryption at rest for an existing professional managed Kubernetes cluster
Results
If you can find encryption or decryption events performed by the AliyunCSManagedSecurityRole role on the Event Detail Query page of the ActionTrail console, Secret encryption at rest is enabled for the cluster. You can view all the KMS CMK calling records in the ActionTrail console.