etcd Encryption

Why using etcd encryption

We recommend using etcd encryption to provide an additional layer of data security for your cluster.

Read more about it: Kubernetes Docs: Encrypting Data at Rest

Enabling etcd encryption in Autopilot

To enable it in Autopilot, one possible approach is changing the spec.topology.variables of your cluster.yaml or Cluster resource within the management cluster and add:

yaml
- name: etcdEncryptionSecretRef value: enabled: true

And create the related secret:

etcd-encryption-secret.yaml yaml
apiVersion: v1 kind: Secret metadata: name: etcd-encryption type: Opaque stringData: config: |- apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 // [!code tooltip::1:Replace with a random value] secret: - identity: {}

To generate a random value to replace <token> , you can use:

Then save the above file as as etcd-encryption-secret.yaml and run:

Next
Introduction to Syself Autopilot