This chapter covers
- Enable encryption data at rest so secrets are encrypted when stored in a Kubernetes cluster.
- Enable KMS provider for data encryption so if Kubernetes master node is compromised, encryption keys are not exposed.
Chapter 3 introduced different ways that we can use to store secrets correctly in source repositories so if the repository is compromised, the secrets are still safe.
This chapter introduces you encryption data at rest concept in Kubernetes to protect any Kubernetes resource, typically secrets, which will make them almost impossible for an attacker to view the content of the secrets. We’ll demostrate that secrets are not encrypted by default by querying directly the etcd database. Then we’ll walk through the process of encryption data at rest, how it is enabled in Kubernetes to have secrets encrypted. The process we are going to follow is summarized in the following figure 4.8.
Figure 4.1. From plain text secrets to encrypted secrets
Finally, we will make the process secure by using a Key Management Service to manage encryption keys as shown in 4.9.
Figure 4.2. Key Management Service (KMS) for managing keys
