Kubernetes stores a variety of data including cluster state, application configurations, and secrets. Kubernetes supports the ability to encrypt cluster data at rest.
In this lab you will generate an encryption key and an encryption config suitable for encrypting Kubernetes Secrets. The commands in this lab must be run on controlplane01
Generate an encryption key:
export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)Create the encryption-config.yaml encryption config file:
envsubst < templates/encryption-config.yaml.template \
> encryption-config.yamlCopy the encryption-config.yaml encryption config file to each controller instance:
for instance in controlplane01 controlplane02 controlplane03 ; do
scp encryption-config.yaml ${instance}:~/
doneMove encryption-config.yaml encryption config file to appropriate directory.
for instance in controlplane01 controlplane02 controlplane03; do
ssh ${instance} sudo mkdir -p /var/lib/kubernetes/
ssh ${instance} sudo mv encryption-config.yaml /var/lib/kubernetes/
doneReference: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#encrypting-your-data
Next: Bootstrapping the etcd Cluster
Prev: Generating Kubernetes Configuration Files for Authentication