From 49d0568a06e51512b8584494fd9c17c047ff5fa8 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Wed, 17 May 2023 20:18:46 +0100 Subject: [PATCH] Split out advice about config reloads for encryption at rest --- .../docs/tasks/administer-cluster/encrypt-data.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md index dc9c4430508..abe9b8498c2 100644 --- a/content/en/docs/tasks/administer-cluster/encrypt-data.md +++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md @@ -34,7 +34,7 @@ This page shows how to enable and configure encryption of secret data at rest. The `kube-apiserver` process accepts an argument `--encryption-provider-config` that controls how API data is encrypted in etcd. The configuration is provided as an API named -[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts. An example configuration is provided below. +[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). An example configuration is provided below. {{< caution >}} **IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the @@ -462,6 +462,19 @@ Then run the following command to force decrypt all Secrets: kubectl get secrets --all-namespaces -o json | kubectl replace -f - ``` +## Configure automatic reloading + +You can configure automatic reloading of encryption provider configuration. +That setting determines whether the +{{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} should +load the file you specify for `--encryption-provider-config` only once at +startup, or automatically whenever you change that file. Enabling this option +allows you to change the keys for encryption at rest without restarting the +API server. + +To allow automatic reloading, configure the API server to run with: +`--encryption-provider-config-automatic-reload=true` + ## {{% heading "whatsnext" %}} * Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).