- Newest
- Most votes
- Most comments
Kubernetes secrets are not encrypted by default in EKS even though the etcd EBS volumes themselves use encryption at rest. Technically they are not in clear text on the disk volumes, but they are in clear text (base64 encoded) in the etcd database.
You can enable envelope encryption using the AWS Encryption Provider. This will encrypt each secret using individual data keys which are in turn encrypted using a master key stored in KMS.
Background: https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/
How to enable on the cluster: https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html
Even with secrets encrypted you still need to control who can read these secrets in the cluster. You can use Secrets Manager integration with EKS to manage fine grained access to the secrets. https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html
Relevant content
- asked 4 years ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I dont think so because console clearly tells something else https://stackoverflow.com/a/74189115/13126651 Even this link also states that they are encrypted verified by AWS Support team https://github.com/aws/containers-roadmap/issues/263#issuecomment-525232223
There is different encryption levels. The whole etcd database is encrypted at rest by default. The individual secrets objects in the etcd database can be optionally encrypted using the AWS Encryption Provider and envelop encryption. Both layers of encryption are described in the GitHub issue you referenced.
Maybe it is semantics, but two different things.