🔐 Azure Key Vault KMS plugin for Kubernetes

Перейти к файлу

Sertaç Özercan e77adb6874 chore: update linters (#217 ) * chore: update linters Signed-off-by: Sertac Ozercan <sozercan@gmail.com> * Apply suggestions from code review Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com> Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> * Update .golangci.yml Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com> Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> * fix formatting Signed-off-by: Sertac Ozercan <sozercan@gmail.com> --------- Signed-off-by: Sertac Ozercan <sozercan@gmail.com> Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com>		2023-04-19 11:18:40 -07:00
.github	ci: add goreleaser workflow for release (#139 )	2022-04-09 00:41:39 +05:30
.pipelines	ci: update kubernetes versions for supported releases	2022-12-19 11:38:14 -08:00
cmd/server	chore: update linters (#217 )	2023-04-19 11:18:40 -07:00
docs	release: bump version to v0.4.0 (#194 )	2022-12-20 12:00:36 -08:00
pkg	chore: update linters (#217 )	2023-04-19 11:18:40 -07:00
scripts	feat: add arm64 support for images (#116 )	2021-10-13 12:36:31 -07:00
tests	chore: update linters (#217 )	2023-04-19 11:18:40 -07:00
tools	chore: updates lint (#212 )	2023-04-11 15:19:53 -07:00
.gitignore	ci: enable golangci-lint (#76 )	2021-02-10 09:25:02 -08:00
.golangci.yml	chore: update linters (#217 )	2023-04-19 11:18:40 -07:00
.goreleaser.yml	ci: add goreleaser workflow for release (#139 )	2022-04-09 00:41:39 +05:30
AUTHORS	update make and dep	2018-03-01 15:39:34 -08:00
CODEOWNERS	ci: add CODEOWNERS file (#157 )	2022-06-10 11:53:45 -07:00
CODE_OF_CONDUCT.md	docs: add standalone Code of Conduct doc where GH can see it (#51 )	2020-08-17 13:47:54 -06:00
CONTRIBUTING.md	docs: clean up the README	2019-06-14 10:28:28 -06:00
Dockerfile	chore: update to go 1.19 (#171 )	2022-08-22 10:49:56 -07:00
LICENSE	Initial commit	2018-03-01 13:16:50 -08:00
Makefile	release: bump version to v0.4.0 (#194 )	2022-12-20 12:00:36 -08:00
README.md	docs: add roadmap link to readme (#209 )	2023-03-29 11:19:52 -07:00
SECURITY.md	Microsoft mandatory file (#151 )	2022-05-23 10:22:58 -07:00
developers.md	Add useragent and update registry (#45 )	2019-02-07 17:47:29 -08:00
go.mod	chore: bump github.com/Azure/go-autorest/autorest/adal (#208 )	2023-03-20 11:57:09 -07:00
go.sum	chore: bump github.com/Azure/go-autorest/autorest/adal (#208 )	2023-03-20 11:57:09 -07:00

README.md

KMS Plugin for Key Vault

Enables encryption at rest of your Kubernetes data in etcd using Azure Key Vault.

From the Kubernetes documentation on Encrypting Secret Data at Rest:

[KMS Plugin for Key Vault is] the recommended choice for using a third party tool for key management. Simplifies key rotation, with a new data encryption key (DEK) generated for each encryption, and key encryption key (KEK) rotation controlled by the user.

⚠️ NOTE: Currently, KMS plugin for Key Vault does not support key rotation. If you create a new key version in KMS, decryption will fail since it won't match the key used for encryption when the cluster was created.

💡 NOTE: To integrate your application secrets from a key management system outside of Kubernetes, use Azure Key Vault Provider for Secrets Store CSI Driver.

Features

Use a key in Key Vault for etcd encryption
Use a key in Key Vault protected by a Hardware Security Module (HSM)
Bring your own keys
Store secrets, keys, and certs in etcd, but manage them as part of Kubernetes

Getting Started

Prerequisites

💡 Make sure you have a Kubernetes cluster version 1.10 or later, the minimum version that is supported by KMS Plugin for Key Vault.

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) creates managed, supported Kubernetes clusters on Azure.

To enable encryption at rest for Kubernetes resources in etcd, check out the KMS plugin for Key Vault on AKS feature in this doc.

Setting up KMS Plugin manually

Refer to doc for steps to setup the KMS Key Vault plugin on an existing cluster.

Verifying that Data is Encrypted

Now that Azure KMS provider is running in your cluster and the encryption configuration is setup, it will encrypt the data in etcd. Let's verify that is working:

Create a new secret:

kubectl create secret generic secret1 -n default --from-literal=mykey=mydata

Using etcdctl, read the secret from etcd:

sudo ETCDCTL_API=3 etcdctl --cacert=/etc/kubernetes/certs/ca.crt --cert=/etc/kubernetes/certs/etcdclient.crt --key=/etc/kubernetes/certs/etcdclient.key get /registry/secrets/default/secret1

Check that the stored secret is prefixed with k8s:enc:kms:v1:azurekmsprovider. This indicates the Azure KMS provider has encrypted the data.
Verify the secret is decrypted correctly when retrieved via the Kubernetes API:
```
kubectl get secrets secret1 -o yaml
```
The output should match mykey: bXlkYXRh, which is the encoded data of mydata.

Rotation

Refer to doc for steps to rotate the KMS Key on an existing cluster.

Contributing

The KMS Plugin for Key Vault project welcomes contributions and suggestions. Please see CONTRIBUTING for details.

Roadmap

You can view the public roadmap for the KMS plugin for Azure KeyVault on the GitHub Project here. Note that all target dates are aspirational and subject to change.

Release

Currently, this project releases monthly to patch security vulnerabilities, and bi-monthly for new features. We target the first week of the month for release.

Code of conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Support

KMS Plugin for Key Vault is an open source project that is not covered by the Microsoft Azure support policy. Please search open issues here, and if your issue isn't already represented please open a new one. The project maintainers will respond to the best of their abilities.