- Newest
- Most votes
- Most comments
When creating a KMS key for encrypting Kubernetes secrets, the roles assigned to the administrative and usage permissions determine who is allowed to perform certain actions on the key.
For the administrative permissions, you should choose the role that will be responsible for managing the key, such as creating, modifying, or deleting it. This role should typically be assigned to a user or group within your organisation that has the necessary privileges for managing KMS keys.
For the usage permissions, you should choose the role that will be used to perform the encryption and decryption operations on the key. In the case of Kubernetes secrets, this role should be assigned to the worker nodes that run the containers in your cluster. You can do this by granting the necessary permissions to the worker node IAM role.
Ref: https://archive.eksworkshop.com/beginner/191_secrets
https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth
https://aws.github.io/aws-eks-best-practices/security/docs/data/
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago