kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

kms: updates website to document --encryption-provider-config-automatic-reload api server flag and healthcheck endpoint behavior 

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
pull/38137/head
Nilekh Chaudhari 2022-11-28 20:03:57 +00:00
parent 3d4d447a5c
commit d132365aae
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/docs/tasks/administer-cluster/encrypt-data.md
View File

@ -22,8 +22,7 @@ This page shows how to enable and configure encryption of secret data at rest.
The `kube-apiserver` process accepts an argument `--encryption-provider-config`
that controls how API data is encrypted in etcd.
The configuration is provided as an API named
[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/).
An example configuration is provided below.
[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts. An example configuration is provided below.
{{< caution >}}
**IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the
@ -305,4 +304,3 @@ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
## {{% heading "whatsnext" %}}
* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).

19
content/en/docs/tasks/administer-cluster/kms-provider.md
View File

@ -150,6 +150,8 @@ To encrypt the data:
1. Set the `--encryption-provider-config` flag on the kube-apiserver to point to the location of the configuration file.
1. `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts.
1. Restart your API server.
### KMS v1 {#encrypting-your-data-with-the-kms-provider-kms-v1}
@ -195,6 +197,23 @@ To encrypt the data:
timeout: 3s
```
Setting `--encryption-provider-config-automatic-reload` to `true` collapses all health checks to a single health check endpoint. Individual health checks are only available when KMS v1 providers are in use and the encryption config is not auto-reloaded.
Following table summarizes the health check endpoints for each KMS version:
| KMS configurations | Without Automatic Reload | With Automatic Reload |
| ------------------------- |------------------------------------| -----------------------|
| KMS v1 only | Individual Healthchecks | Single Healthcheck |
| KMS v2 only | Single Healthcheck | Single Healthcheck |
| Both KMS v1 and v2 | Individual Healthchecks | Single Healthcheck |
| No KMS | None | Single Healthcheck |
`Single Healthcheck` means that the only health check endpoint is `/healthz/kms-providers`.
`Individual Healthchecks` means that each KMS plugin has an associated health check endpoint based on its location in the encryption config: `/healthz/kms-provider-0`, `/healthz/kms-provider-1` etc.
These healthcheck endpoint paths are hard coded and generated/controlled by the server. The indices for individual healthchecks corresponds to the order in which the KMS encryption config is processed.
Until the steps defined in [Ensuring all secrets are encrypted](#ensuring-all-secrets-are-encrypted) are performed, the `providers` list should end with the `identity: {}` provider to allow unencrypted data to be read. Once all resources are encrypted, the `identity` provider should be removed to prevent the API server from honoring unencrypted data.
For details about the `EncryptionConfiguration` format, please check the