- 最新
- 最多得票
- 最多評論
Kubernetes secrets are not encrypted by default in EKS even though the etcd EBS volumes themselves use encryption at rest. Technically they are not in clear text on the disk volumes, but they are in clear text (base64 encoded) in the etcd database.
You can enable envelope encryption using the AWS Encryption Provider. This will encrypt each secret using individual data keys which are in turn encrypted using a master key stored in KMS.
Background: https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/
How to enable on the cluster: https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html
Even with secrets encrypted you still need to control who can read these secrets in the cluster. You can use Secrets Manager integration with EKS to manage fine grained access to the secrets. https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html
相關內容
- 已提問 1 年前
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
I dont think so because console clearly tells something else https://stackoverflow.com/a/74189115/13126651 Even this link also states that they are encrypted verified by AWS Support team https://github.com/aws/containers-roadmap/issues/263#issuecomment-525232223
There is different encryption levels. The whole etcd database is encrypted at rest by default. The individual secrets objects in the etcd database can be optionally encrypted using the AWS Encryption Provider and envelop encryption. Both layers of encryption are described in the GitHub issue you referenced.
Maybe it is semantics, but two different things.