kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #42846 from my-git9/path-28990 

[zh-cn] sync administer-cluster/encrypt-data.md
pull/42211/head
Kubernetes Prow Robot 2023-09-04 00:53:49 -07:00 committed by GitHub
parent 8844553920 bd36071bdc
commit 216e238d36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
View File

@ -349,7 +349,7 @@ Kubernetes 静态数据加密的 Provider
</td>
</tr>
<tr>
<th rowspan="2" scope="row"><tt>kms</tt> v1</th>
<th rowspan="2" scope="row"><tt>kms</tt> v1 <em><!--(deprecated since Kubernetes v1.28)-->(自 Kubernetes 1.28 起弃用)</em></th>
<td>
<!-- Uses envelope encryption scheme with DEK per resource. -->
针对每个资源使用不同的 DEK 来完成信封加密。
@ -393,15 +393,22 @@ Kubernetes 静态数据加密的 Provider
Data is encrypted by data encryption keys (DEKs) using AES-GCM; DEKs
are encrypted by key encryption keys (KEKs) according to configuration
in Key Management Service (KMS).
A new DEK is generated at API server startup, and is then reused for
encryption. The DEK is rotated whenever the KEK is rotated.
Kubernetes defaults to generating a new DEK at API server startup, which is then
reused for object encryption.
If you enable the <tt>KMSv2KDF</tt>
<a href="/docs/reference/command-line-tools-reference/feature-gates/">feature gate</a>,
Kubernetes instead generates a new DEK per encryption from a secret seed.
Whichever approach you configure, the DEK or seed is also rotated whenever the KEK is rotated.<br/>
A good choice if using a third party tool for key management.
Available in beta from Kubernetes v1.27.
-->
通过数据加密密钥DEK使用 AES-GCM 加密数据;
DEK 根据 Key Management ServiceKMS中的配置通过密钥加密密钥Key Encryption KeysKEK加密。
API 服务器启动时会生成一个新的 DEK并重复使用它进行加密。
每当轮换 KEK 时DEK 也会轮换。
Kubernetes 默认在 API 服务器启动时生成一个新的 DEK
然后重复使用该密钥进行资源加密。然而,如果你使用 KMS v2 并且启用了 `KMSv2KDF`
[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
则 Kubernetes 将转为基于秘密的种子数为每次加密生成一个新的 DEK。
无论你配置哪种方法,每当 KEK 轮换时DEK 或种子也会轮换。
如果使用第三方工具进行密钥管理,会是一个不错的选择。
`v1.27` 开始,该功能处于 Beta 阶段。
<br />
@ -481,7 +488,7 @@ Create a new encryption config file:
<!--
# See the following text for more details about the secret value
# this fallback allows reading unencrypted secrets;
# for example, during initial migratoin
# for example, during initial migration
-->
```yaml
---