book
Article ID: 345556
calendar_today
Updated On:
Cause
To enable etcd encryption, the kube-apiserver must start with a specific switch. The kube-apiserver process accepts the --encryption-provider-config argument that controls how API data is encrypted in etcd.
This option can be added to the kube-apiserver config file for Enterprise PKS at /var/vcap/jobs/kube-apiserver/config/bpm.yml but is not persistent. If the VM is recreated or if a cluster upgrade is performed, any manual modifications made will be overwritten with the stemcell release configuration.
Resolution
This is an expected behavior in VMware Enterprise PKS. Currently, we do not have any workaround.
Additional Information
To be alerted when this article is updated, click the subscribe button [cid:
[email protected]] . For more information on KB subscription features, see the Knowledge Base Article FAQs: How to Subscribe to VMware Knowledge Base Articles (76417).
Impact/Risks:
By default, etcd data is not encrypted and can be viewed if a user has access to the etcd servers or if the user has access to the pod which has the secret mounted to it.