Tell us more

Blog

How to Kube: KMS Secrets

Security is a top concern for anyone on the web, but especially for those using Kubernetes. Without any pre-configured security settings on the platform, it's up to you to ensure that your nodes and clusters are secure. That's why encryption is so crucial in protecting your most sensitive data.

Key management services (KMS) are an inexpensive way to encrypt your secrets in Kubernetes. Employing a KMS ensures that your cryptographic keys and metadata are protected by controlling their confidentiality, integrity, availability and source verification.

Read on for a step-by-step guide for how you can set up an Amazon-provided key management service.

Build the AWS Encryption Provider Docker Container

  1. First, head to the Kubernetes sigs AWS encryption provider repository. In the repository, run “make docker build” to build a docker container.
  2. Tag the docker container with the name of a repository that you control, and push it out to that repository. This ensures that the docker container is available onthe Kubernetes cluster — specifically the master nodes — to pull from.
  3. Now that the docker container is pushed to the repository, you need to create a KMS key.

Create a KMS key

  1. To create a KMS key:
    • Open up the AWS console,
    • Click “create key”
    • Choose “symmetric key”
    • Name it something you can remember
    • Assign your key the default options (assigning usage permissions isn't necessary at this stage).
  2. Once your key is created, locate it under “Customer managed keys”, and record the ARN to use in a later step.

Configure a node policy

  1. Next, you'll need to create a node policy that allows masters to encrypt and decrypt using the key you just created.
  2. Add this policy to the to kops cluster spec in the “additional policies” master section, and then save the file.
  3. Then, under the kops cluster spec, add “encryptionConfig” and set it equal to true.
  4. Finally, you’ll need to add a file asset that creates a static pod on each of the master nodes. The manifest for the static pod includes:
    • The image name that you pushed earlier
    • The ARN of the KMS key you created
    • The region you created the key in

Create an encryption configuration

  1. Next you want to create an encryption configuration yaml file. This file specifies that secrets should be encrypted using the AWS encryption provider at the unix socket you created in the static pod.
  2. Use the “kops create secret” command to create this encryption config as a kops secret.
  3. Now that the cluster config is in place and the encryption config is saved as a secret, it’s time to replace the cluster yaml and enter” kops update cluster --yes”.
  4. Kops will then indicate that a rolling restart of masters is necessary. Go ahead and perform that rolling update.

Once the rolling update is complete, your cluster will be configured to encrypt all newly created secrets with a key management service! This ensures that you can encrypt/decrypt data without exposing your master keys, and that your encryption parameters are always strong.

For more tips on how to address Kubernetes cluster security, check out this blog post.