Encrypting Kubernetes Secrets at Rest: A Step-by-Step Guide
HARSH VARDHAN SINGHTable of contents
- Why Encrypt Secrets at Rest?
- Step 1: Accessing the Master Node
- Step 2: Viewing the Contents of etcd
- Step 3: Searching for Secrets in etcd
- Step 4: Creating the Encryption Configuration File
- Explanation of the Encryption Configuration File
- Step 5: Configuring the Kubernetes API Server
- Step 6: Restart the API Server
- Step 7: Mounting the Encryption Configuration File into the API Server Pod
- Step 8: Verifying the Changes
- Step 9: Troubleshooting the API Server
- Conclusion
Kubernetes provides a robust and secure platform for orchestrating containerized applications, but managing sensitive information like passwords, API keys, and certificates (stored as Kubernetes secrets) is critical. By default, secrets in Kubernetes are stored in plain text within etcd, the key-value store for the cluster. This makes it essential to encrypt secrets at rest to prevent unauthorized access to sensitive data.
In this comprehensive guide, we’ll explore how to encrypt Kubernetes secrets at rest using an EncryptionConfiguration. We will cover everything from setting up the encryption configuration file, applying changes, and verifying that secrets are now encrypted in etcd.
Why Encrypt Secrets at Rest?
When Kubernetes secrets are stored in etcd, they are not encrypted by default. This can be a security risk, as anyone with access to the etcd datastore could potentially read sensitive data. Encrypting secrets at rest ensures that even if an attacker gains access to the storage layer, they will not be able to read the encrypted data without the appropriate decryption keys.
Step 1: Accessing the Master Node
To apply encryption settings to your Kubernetes cluster, you first need to access the master node. If you are using Minikube (a popular tool for running Kubernetes locally), you can SSH into the Minikube VM:
minikube ssh
If you are using a different Kubernetes setup, use SSH to access the master node where etcd is running.
Step 2: Viewing the Contents of etcd
To understand how secrets are stored by default, you can view the contents of the etcd datastore. The data is stored in binary format, and you need to navigate to the appropriate location where the etcd data is stored:
For a standard Kubernetes setup:
sudo vi /var/lib/etcd/member/snap/dbFor a Minikube setup:
sudo vi /var/lib/minikube/etcd/member/snap/db
Here, we use vi (or another text editor) to open the binary data file, and since the data is stored in binary format, you'll see non-human-readable characters.
Step 3: Searching for Secrets in etcd
To verify that secrets are stored in plain text, search for the key or value of a secret. In vi, type:
/keyorval
This search will reveal that secrets are indeed stored in plain text. To protect these secrets, we need to configure encryption at rest.
Step 4: Creating the Encryption Configuration File
To enable encryption, create an encryption configuration file on the master node. Let's create it at the following location:
sudo vi /etc/kubernetes/etcd-enc/etcd-encryption.yaml
Add the following content to the file:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: YWJjZGVmZ2hpamtsbW5vcA==
- identity: {}
Explanation of the Encryption Configuration File
apiVersion:apiserver.config.k8s.io/v1: This specifies the API version for the configuration.kind: EncryptionConfiguration: This defines the type of configuration as an encryption configuration.resources:: This section specifies which Kubernetes resources should be encrypted. In our case, we are encrypting onlysecrets.providers:: This section defines the encryption providers and their order of preference.aescbc:: This specifies the use of the AES-CBC encryption method.keys:: The encryption keys used by theaescbcprovider.name: key1: The name of the encryption key.secret:: The base64-encoded secret key. In this case,YWJjZGVmZ2hpamtsbW5vcA==is a base64-encoded string.
identity:: This is a provider that stores data in plaintext. It acts as a fallback option if theaescbcprovider is unavailable.
Key Requirements for the Encryption Key
The encryption key (secret) must be base64-encoded and of a certain length (16, 24, or 32 bytes for AES). If the key is not properly encoded, Kubernetes will throw an error. You can generate a base64-encoded secret using the following command:
echo -n 'mysecretkey123456' | base64
Replace 'mysecretkey123456' with your actual key. This will output a base64-encoded string that you can use in the encryption configuration file.
Step 5: Configuring the Kubernetes API Server
The next step is to instruct the Kubernetes API server to use the newly created encryption configuration file. The API server's configuration is defined in the following file:
sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
This file is responsible for creating the pod for the API server. Add the following line under the - command: section:
- --encryption-provider-config=/etc/kubernetes/etcd-enc/etcd-encryption.yaml
This line tells the API server to use the encryption configuration file we created.
Step 6: Restart the API Server
After saving the changes to kube-apiserver.yaml, the API server will automatically restart with the new configuration. However, if you run the command:
kubectl get nodes
You will see an error. This occurs because the encryption configuration file exists on the host, but the API server container running inside a Kubernetes pod cannot access it.
Step 7: Mounting the Encryption Configuration File into the API Server Pod
To make the encryption configuration file accessible to the API server, mount it into the container. Open the kube-apiserver.yaml file again:
sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
Add the following under the volumeMounts: section:
- mountPath: /etc/kubernetes/etcd-enc
name: etc-kubernetes-etcd-enc
readOnly: true
And add the following under the volumes: section:
- hostPath:
path: /etc/kubernetes/etcd-enc
type: DirectoryOrCreate
name: etc-kubernetes-etcd-enc
Explanation of the Volume Mount Configuration
mountPath:: Specifies the path inside the container where the encryption configuration file will be mounted.name:: The name of the volume mount, which must match betweenvolumeMountsandvolumes.hostPath:: Specifies the path on the host machine where the encryption configuration file is located.type: DirectoryOrCreate: Ensures that the directory is created if it does not exist.
Step 8: Verifying the Changes
After saving and exiting the file, wait for a few moments while the API server restarts. Now, try to create a secret:
kubectl create secret generic test-secret4 --from-literal=key=value
Then, check the etcd datastore again:
For a standard Kubernetes setup:
sudo vi /var/lib/etcd/member/snap/dbFor a Minikube setup:
sudo vi /var/lib/minikube/etcd/member/snap/db
Try searching for the key or value again:
/keyOrval
This time, you should not find the secret stored in plain text, indicating that encryption at rest is working correctly!
Step 9: Troubleshooting the API Server
If the API server pod fails to start or if you encounter any errors, you can check the logs for detailed error messages. The logs can be found at:
cd /var/log/pods
Search for the correct pod directory for the API server. In a Minikube setup, it may look like:
cd kube-system_kube-apiserver-minikube_28a66b6eee103f0471478968cc9fe8c8/
Navigate into the directory:
cd kube-apiserver
Then, you can view the logs:
cat 1.log
If the path is different on your setup, the logs might be located at:
/var/log/kube-apiserver.log
Analyze the logs to find and fix any issues.
Conclusion
Encrypting Kubernetes secrets at rest is an essential security measure to protect sensitive data from unauthorized access. By following this guide, you have successfully configured encryption for your Kubernetes secrets, ensuring they are stored securely within etcd. Remember to monitor and manage encryption keys carefully, and regularly check logs for any issues or errors to maintain a secure and stable Kubernetes environment.
Subscribe to my newsletter
Read articles from HARSH VARDHAN SINGH directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
HARSH VARDHAN SINGH
HARSH VARDHAN SINGH
Hello there! My name is Harsh and I am a computer science undergraduate student. From a young age, I have been fascinated by the world of technology and how it impacts our daily lives. As I grew older, my passion for technology only intensified, which led me to pursue a degree in computer science. During my studies, I have developed a keen interest in the field of mobile app development, particularly in Flutter, a popular framework for building high-quality, native apps for both Android and iOS. I find the process of creating something from scratch, watching it come to life, and then seeing people use it to be an incredibly rewarding experience. In addition to mobile app development, I have also taken an interest in DevOps, a set of practices that emphasizes collaboration and communication between software developers and IT professionals. The ability to streamline and automate the software development process through DevOps is fascinating to me, and I believe it has the potential to revolutionize the industry. In addition to my passion for Flutter, DevOps, I have also developed a strong foundation in data structures and algorithms (DSA) using Java. During my high school years, I spent a significant amount of time learning about DSA and applying it to solve complex programming problems. This experience has helped me to build a solid understanding of fundamental programming concepts, and I continue to leverage this knowledge in my current studies. As a lifelong learner, I am always seeking out new challenges and opportunities to expand my knowledge and skills. One area that has particularly caught my attention is open source software. I find the collaborative nature of open source to be incredibly powerful and inspiring, and I am excited about the potential it has to create positive change in the world. In my free time, I enjoy exploring new technologies, reading books on various topics, and experimenting with different coding projects. I also enjoy sharing my knowledge and experiences with others, whether it's through mentoring, contributing to online communities, or blogging. In conclusion, I am a computer science undergraduate student who has a keen interest in Flutter, DevOps, Java programming, and DSA. My experience with these technologies, combined with my passion for open-source, has enabled me to develop a strong foundation in programming and problem-solving skills. I am excited to continue learning and exploring new technologies to build innovative solutions and make a positive impact on society. Thank you for taking the time to read a little bit about me. I hope to continue growing as a developer, expanding my knowledge, and contributing to the tech community in meaningful ways.