How to enable etcd encryption in VMware Enterprise PKS
Article ID: 345556
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
-
You would like to enable the etcd encryption for the K8S clusters deployed by VMware Enterprise PKS.
-
You do not see an option in the PKS tile or to any of the pks commands to modify the kube-apiserver to enable the etcd encryption.
Environment
VMware PKS 1.x
Cause
To enable etcd encryption, the kube-apiserver must start with a specific switch. The kube-apiserver process accepts the --encryption-provider-config argument that controls how API data is encrypted in etcd.
This option can be added to the kube-apiserver config file for Enterprise PKS at /var/vcap/jobs/kube-apiserver/config/bpm.yml but is not persistent. If the VM is recreated or if a cluster upgrade is performed, any manual modifications made will be overwritten with the stemcell release configuration.
This option can be added to the kube-apiserver config file for Enterprise PKS at /var/vcap/jobs/kube-apiserver/config/bpm.yml but is not persistent. If the VM is recreated or if a cluster upgrade is performed, any manual modifications made will be overwritten with the stemcell release configuration.
Resolution
This is an expected behavior in VMware Enterprise PKS. Currently, we do not have any workaround.
Additional Information
To be alerted when this article is updated, click the subscribe button [cid:[email protected]] . For more information on KB subscription features, see the Knowledge Base Article FAQs: How to Subscribe to VMware Knowledge Base Articles (76417).
Impact/Risks:
By default, etcd data is not encrypted and can be viewed if a user has access to the etcd servers or if the user has access to the pod which has the secret mounted to it.
Impact/Risks:
By default, etcd data is not encrypted and can be viewed if a user has access to the etcd servers or if the user has access to the pod which has the secret mounted to it.
Feedback
Yes
No
Powered by
