Encrypting Secret Data at Rest (#8574)
* change default value for Encrypting Secret Data at Rest to secretbox, remove experimental flag and add documentation * fix MD012/no-multiple-blanks
This commit is contained in:
parent
e053ee4272
commit
36393d77d3
3 changed files with 24 additions and 2 deletions
22
docs/encrypting-secret-data-at-rest.md
Normal file
22
docs/encrypting-secret-data-at-rest.md
Normal file
|
@ -0,0 +1,22 @@
|
|||
# Encrypting Secret Data at Rest
|
||||
|
||||
Before enabling Encrypting Secret Data at Rest, please read the following documentation carefully.
|
||||
|
||||
<https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/>
|
||||
|
||||
As you can see from the documentation above, 5 encryption providers are supported as of today (22.02.2022).
|
||||
|
||||
As default value for the provider we have chosen `secretbox`.
|
||||
|
||||
Alternatively you can use the values `identity`, `aesgcm`, `aescbc` or `kms`.
|
||||
|
||||
| Provider | Why we have decided against the value as default |
|
||||
|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| identity | no encryption |
|
||||
| aesgcm | Must be rotated every 200k writes |
|
||||
| aescbc | Not recommended due to CBC's vulnerability to padding oracle attacks. |
|
||||
| kms | Is the official recommended way, but assumes that a key management service independent of Kubernetes exists, we cannot assume this in all environments, so not a suitable default value. |
|
||||
|
||||
## Details about Secretbox
|
||||
|
||||
Secretbox uses [Poly1305](https://cr.yp.to/mac.html) as message-authentication code and [XSalsa20](https://www.xsalsa20.com/) as secret-key authenticated encryption and secret-key encryption.
|
|
@ -146,7 +146,7 @@ kube_proxy_nodeport_addresses: >-
|
|||
# {{ inventory_hostname }}
|
||||
# {%- endif -%}
|
||||
|
||||
## Encrypting Secret Data at Rest (experimental)
|
||||
## Encrypting Secret Data at Rest
|
||||
kube_encrypt_secret_data: false
|
||||
|
||||
# Graceful Node Shutdown (Kubernetes >= 1.21.0), see https://kubernetes.io/blog/2021/04/21/graceful-node-shutdown-beta/
|
||||
|
|
|
@ -144,7 +144,7 @@ controller_manager_extra_volumes: {}
|
|||
kube_encrypt_secret_data: false
|
||||
kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
|
||||
# Must be either: aescbc, secretbox or aesgcm
|
||||
kube_encryption_algorithm: "aescbc"
|
||||
kube_encryption_algorithm: "secretbox"
|
||||
# Which kubernetes resources to encrypt
|
||||
kube_encryption_resources: [secrets]
|
||||
|
||||
|
|
Loading…
Reference in a new issue