Manage Kubernetes Secrets

title: “Manage Kubernetes Secrets”
date: 2020-12-11T22:36:47
slug: manage-kubernetes-secrets

Encrypting your data in ETCD

Create a new encryption config file:

head -c 32 /dev/urandom | base64
vi /etc/kubernetes/etcd/ec.yaml

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
 - resources:
 - secrets
 providers:
 - aescbc:
 keys:
 - name: key1
 secret: <----- Password must be 16, 32 or 64 Bit long
 - identity: {}

Add a kube-api Parameter:

vi /etc/kubernetes/manifests/kube-apiserver.yaml
--encryption-provider-config=/etc/kubernetes/etcd/ec.yaml

Add under Volumemount:
 - mountPath: /etc/kubernetes/etcd
 name: etcd
 readOnly: true

Add under Volumes:
 - hostPath:
 path: /etc/kubernetes/etcd
 type: DirectoryOrCreate
 name: etcd

Read a secret from etcd

ETCDCTL\_API=3 etcdctl --cert /etc/kubernetes/pki/apiserver-etcd-client.crt --key /etc/kubernetes/pki/apiserver-etcd-client.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/secure-ingress

Rewrite a secred (for encoding)

k get secret secure-ingress -o yaml|k replace -f -

Rewrite all Secrets, after this, remove the “- identity: {}” Provider:

kubectl get secrets --all-namespaces -o json | kubectl replace -f -
Print Friendly, PDF & Email