Kubernetesdevops~30 mins

Secrets encryption at rest in Kubernetes - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Secrets Encryption at Rest in Kubernetes

📖 Scenario: You are managing a Kubernetes cluster that stores sensitive information like passwords and API keys in Secrets. To protect this data, you want to enable encryption at rest so that the secrets are stored encrypted on disk.This project will guide you step-by-step to configure Kubernetes to encrypt secrets at rest using a simple encryption key.

🎯 Goal: Enable encryption at rest for Kubernetes Secrets by creating an encryption configuration file, updating the API server to use it, and verifying that secrets are stored encrypted.

📋 What You'll Learn

Create an encryption configuration file with a specific encryption key

Add a config variable to specify the path to the encryption config file

Modify the Kubernetes API server manifest to use the encryption config file

Verify that secrets are encrypted at rest by checking the stored data

💡 Why This Matters

🌍 Real World

Encrypting secrets at rest protects sensitive data stored in Kubernetes clusters from unauthorized access if the storage is compromised.

💼 Career

Understanding how to enable and verify secrets encryption is a key skill for Kubernetes administrators and DevOps engineers to secure cluster data.

Progress0 / 4 steps

Create the encryption configuration file

Create a YAML file called encryption-config.yaml with the following content exactly:

apiVersion: apiserver.config.k8s.io/v1
encryptionConfiguration:
  resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: c2VjcmV0a2V5MTIzNDU2Nzg5MDEyMzQ1Ng==
    - identity: {}

Kubernetes

# Create the file encryption-config.yaml with the exact content
# Your code here

Need a hint?

The encryption key is base64 encoded. Make sure the indentation and keys match exactly.

Set the encryption config file path variable

Create a variable called ENCRYPTION_CONFIG_PATH and set it to the string "/etc/kubernetes/encryption-config.yaml".

Kubernetes

apiVersion: apiserver.config.k8s.io/v1
encryptionConfiguration:
  resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: c2VjcmV0a2V5MTIzNDU2Nzg5MDEyMzQ1Ng==
    - identity: {}

# Create the variable ENCRYPTION_CONFIG_PATH with the config file path
# Your code here

Need a hint?

Use an uppercase variable name and assign the exact string path.

Update the API server manifest to use encryption config

Add the following flag to the Kubernetes API server manifest command line:
--encryption-provider-config=${ENCRYPTION_CONFIG_PATH}
Use the variable ENCRYPTION_CONFIG_PATH you created in Step 2.

Kubernetes

apiVersion: apiserver.config.k8s.io/v1
encryptionConfiguration:
  resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: c2VjcmV0a2V5MTIzNDU2Nzg5MDEyMzQ1Ng==
    - identity: {}

ENCRYPTION_CONFIG_PATH = "/etc/kubernetes/encryption-config.yaml"

# Add the flag --encryption-provider-config=${ENCRYPTION_CONFIG_PATH} to the API server command
# Your code here

Need a hint?

Simulate the API server command as a string variable including the flag with the variable.

Verify secrets are encrypted at rest

Print the exact string Secrets are now encrypted at rest using /etc/kubernetes/encryption-config.yaml to confirm the setup.

Kubernetes

apiVersion: apiserver.config.k8s.io/v1
encryptionConfiguration:
  resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: c2VjcmV0a2V5MTIzNDU2Nzg5MDEyMzQ1Ng==
    - identity: {}

ENCRYPTION_CONFIG_PATH = "/etc/kubernetes/encryption-config.yaml"

kube_apiserver_command = "kube-apiserver --encryption-provider-config=${ENCRYPTION_CONFIG_PATH}"

# Print the confirmation message below
# Your code here

Need a hint?

Use a print statement with the exact message including the file path.