etcd encryption

We recommend using etcd encryption to provide an additional layer of data security for your cluster.

Read more about it: Kubernetes Docs: Encrypting Data at Rest

To enable it in Autopilot, one possible approach is changing the spec.topology.variables of your cluster.yaml or Cluster resource within the management cluster and add:

yaml
- name: etcdEncryptionSecretRef value: enabled: true

And create the related secret:

etcd-encryption-secret.yaml yaml
apiVersion: v1 kind: Secret metadata: name: etcd-encryption type: Opaque stringData: config: |- apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 // [!code tooltip::1:Replace with a random value] secret: - identity: {}

To generate a random value to replace <token> , you can use:

Then save the above file as as etcd-encryption-secret.yaml and run:

Previous
HA Kubernetes Controlplane
Next
Updating cluster