Kubernetes KMS provider plugin for Tencent Cloud - Enable encryption/decryption for Kubernetes secrets by Tencent Cloud Key Management Service
- Kubernetes cluster of version 1.10.0 or later(e.g. TKE standalone clusters of version v1.10.5+)
- Etcd v3 or later
- Clone this repo and cd to
tke-kms-plugin
- Build and push image
#such as ccr.ccs.tencentyun.com/<your-project>
REGISTRY=<your-docker-registry-prefix>
VERSION=1.0.0
REGISTRY=$REGISTRY VERSION=$VERSION make image
docker push $REGISTRY/tke-kms-plugin:$VERSION
- Create a new key of type
ENCRYPT_DECRYPT
(对称加解密) at KMS Console - Create a new CAM Secret at CAM console or use an existing one(The secret should at least be allowed do the following actions :
"kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt"
). - Replace following placeholders in tke-kms-plugin.yaml:
{{REGION}}
: the region of KMS service, valid values:ap-beijing
,ap-guangzhou
,ap-shanghai
{{KEY_ID}}
: the id (in UUID format) of the KMS key you just created{{SECRET_ID}}
and{{SECRET_KEY}}
: the CAM Secret ID and Key you just created
REGION=<region>
KEY_ID=<your-key-id>
SECRET_ID=<your-secret-id>
SECRET_KEY=<your-secret-key>
sed "s/{{REGION}}/$REGION/g; s/{{KEY_ID}}/$KEY_ID/g; s/{{SECRET_ID}}/$SECRET_ID/g; s/{{SECRET_KEY}}/$SECRET_KEY/g" deployment/tke-kms-plugin.yaml > ds-tke-kms-plugin.yaml
- (Optional) If you prefer to use your own docker image, replace
images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0
with your own image. - Create the tke-kms-plugin daemonset:
kubectl apply -f ds-tke-kms-plugin.yaml
- Ensure all tke-kms-plugin pods are running:
kubectl get po -n kube-system -l name=tke-kms-plugin
On all masters:
- Create
/etc/kubernetes/encryption-provider-config.yaml
with following content:
Note: For K8s v1.10~v1.13, you can specify the timeout
parameter, although it is not supported.
- for K8s v1.13+
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
- for K8s v1.10~v1.12
apiVersion: v1
kind: EncryptionConfig
resources:
- resources:
- secrets
providers:
- kms:
name: tke-kms-plugin
timeout: 3s
cachesize: 1000
endpoint: unix:///var/run/tke-kms-plugin/server.sock
- identity: {}
- Edit
/etc/kubernetes/manifests/kube-apiserver.yaml
(for TKE standalone clusters. And for TKE v1.10.5, you need to movekube-apiserver.yaml
out of/etc/kubernetes/manifests
directory, edit and move it back):
-
Add the following flag to
args
array:- for K8s v1.13+ :
--encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
- for K8s v1.10~v1.12:
--experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml
- for K8s v1.13+ :
-
Add volume directives for
/var/run/tke-kms-plugin/server.sock
:
...
volumeMounts:
- mountPath: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
...
volumes:
- hostPath:
path: /var/run/tke-kms-plugin
name: tke-kms-plugin-dir
...
kube-apiserver will restart after you finish editing and save the file /etc/kubernetes/manifests/kube-apiserver.yaml
.
1 Create a new secret
kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
2 Verify the secret is correctly decrypted:
kubectl get secret secret1 -o=jsonpath='{.data.mykey}' | base64 -d
The output should be mydata
, the same as the value we used to create the secret.
For more infomation about Kubernetes KMS provider, please refer to Using a KMS provider for data encryption