You can enable passive encryption by providing keys and encrypting data using the
EncryptionConfig file and the kube-apiserver
command. You can
do this before or after installing Guardium®
Insights.
Procedure
- Determine the keys to be used and then add them to the
EncryptionConfig file.
- Set the
--encryption-provider-config
flag on the
kube-apiserver
to point to the location of the
EncryptionConfig file.
- Restart the API server.
- Secrets will be encrypted the next time
etcd
is written to. To have the
encryption take effect, run this command:
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
This will get all secrets and update them to be encrypted.
Note: It is highly recommended that, along with the EncryptionConfig file, a
kms
provider is used.
What to do next
For more information about enabling passive encryption, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/.