diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md index a92da947c6..e6d2ff2340 100644 --- a/content/en/docs/tasks/administer-cluster/encrypt-data.md +++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md @@ -22,8 +22,7 @@ This page shows how to enable and configure encryption of secret data at rest. The `kube-apiserver` process accepts an argument `--encryption-provider-config` that controls how API data is encrypted in etcd. The configuration is provided as an API named -[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). -An example configuration is provided below. +[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts. An example configuration is provided below. {{< caution >}} **IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the @@ -305,4 +304,3 @@ kubectl get secrets --all-namespaces -o json | kubectl replace -f - ## {{% heading "whatsnext" %}} * Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/). - diff --git a/content/en/docs/tasks/administer-cluster/kms-provider.md b/content/en/docs/tasks/administer-cluster/kms-provider.md index a2f794d3d8..9d6790743e 100644 --- a/content/en/docs/tasks/administer-cluster/kms-provider.md +++ b/content/en/docs/tasks/administer-cluster/kms-provider.md @@ -150,6 +150,8 @@ To encrypt the data: 1. Set the `--encryption-provider-config` flag on the kube-apiserver to point to the location of the configuration file. +1. `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts. + 1. Restart your API server. ### KMS v1 {#encrypting-your-data-with-the-kms-provider-kms-v1} @@ -195,6 +197,23 @@ To encrypt the data: timeout: 3s ``` +Setting `--encryption-provider-config-automatic-reload` to `true` collapses all health checks to a single health check endpoint. Individual health checks are only available when KMS v1 providers are in use and the encryption config is not auto-reloaded. + +Following table summarizes the health check endpoints for each KMS version: + +| KMS configurations | Without Automatic Reload | With Automatic Reload | +| ------------------------- |------------------------------------| -----------------------| +| KMS v1 only | Individual Healthchecks | Single Healthcheck | +| KMS v2 only | Single Healthcheck | Single Healthcheck | +| Both KMS v1 and v2 | Individual Healthchecks | Single Healthcheck | +| No KMS | None | Single Healthcheck | + +`Single Healthcheck` means that the only health check endpoint is `/healthz/kms-providers`. + +`Individual Healthchecks` means that each KMS plugin has an associated health check endpoint based on its location in the encryption config: `/healthz/kms-provider-0`, `/healthz/kms-provider-1` etc. + +These healthcheck endpoint paths are hard coded and generated/controlled by the server. The indices for individual healthchecks corresponds to the order in which the KMS encryption config is processed. + Until the steps defined in [Ensuring all secrets are encrypted](#ensuring-all-secrets-are-encrypted) are performed, the `providers` list should end with the `identity: {}` provider to allow unencrypted data to be read. Once all resources are encrypted, the `identity` provider should be removed to prevent the API server from honoring unencrypted data. For details about the `EncryptionConfiguration` format, please check the