Going further with securing etcd
The previous section described the native encryption capabilities provided by Kubernetes at the application layer or, in other words, how to secure sensitive data from Secret
and ConfigMap
objects being processed by the Kubernetes API server.
Depending on the deployment type, whether on-premises or in the cloud, other layers can benefit from encryption to avoid or reduce security exposures:
- When self-deploying on-premises or in the cloud using physical or virtual machines, the Kubernetes
EncryptionConfiguration
API object is stored as a file on disk; accessing this configuration file, as well as the etcd data file, will compromise all sensitive data recorded as part of the API objects in etcd. - When consuming a managed Kubernetes instance from a cloud provider, the control plane becomes their responsibility. However, not all services are equal and some require a thorough review of the configuration to ensure that the cloud provider you...