Containers-roadmap: EKS: Envelope Encryption of Kubernetes Secrets
Kubernetes supports the ability to enable envelope encryption of Kubernetes secrets using a customer managed key (CMK).
To support a defense-in-depth strategy, we plan to enable the AWS Encryption Provider on EKS and allow you to provide a AWS KMS CMK that will be used for envelope encryption of Kubernetes secrets on the cluster.
_Note_ This feature will provide an additional security layer for customers using Kubernetes secrets. All secrets and other data stored in the etcd for all EKS clusters is encrypted at rest today. https://docs.aws.amazon.com/en_us/eks/latest/userguide/clusters.html and https://github.com/aws/containers-roadmap/issues/263
Update 3/5/20 禄 this feature is now live!
tabern
All 11 comments
@tabern What about supporting an AWS-managed KMS key? We would like envelope encryption, without managing the key ourselves. Is that included in this?
kekoav
on 8 Jan 2020
@kekoav yes - we're planning to allow two modes. In the first mode, you request encryption but don't provide a key. EKS will create a managed KMS key in your account and associate it to the cluster. In the second mode, you can create a KMS key yourself and then pass the ARN to the cluster.
tabern
on 8 Jan 2020
@tabern Any plans to make k8s secrets be backed or synced with AWS secret manager ?
Moulick
on 25 Jan 2020
@tabern I'd like to check if we have an ETA for rolling out this feature as this is affecting our roadmap of managing applications in EKS.
Thanks.
pmnhatdn
on 10 Feb 2020
@Moulick it looks like that request is being tracked in a separate issue: https://github.com/aws/containers-roadmap/issues/168
bgshacklett
on 11 Feb 2020
Hi everyone,
Amazon EKS now supports envelope encryption of K8s secrets using AWS KMS keys!
How it works
Envelope encryption for secrets is available for new Amazon EKS clusters running Kubernetes version 1.13 and above. You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.
When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the linked AWS KMS key.
More details:
tabern
on 5 Mar 2020
hi @tabern,
You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.
How about the running clusters?
khacminh
on 6 Mar 2020
hi
If there is an option to enable encryption like in S3 without generating any KMS keys by myself, that would be nice.
tomiszili
on 6 Mar 2020
Support for this functionality has been merged into the Terraform AWS Provider and will release with version 2.52.0, later today.
bflad
on 6 Mar 2020
Does anyone know why the apiserver locally generates the DEK, as opposed to calling kms:GenerateDataKey?
jtackaberry
on 30 Mar 2020
Does anyone know what policy and which role to assign the KMS key usage to? When I added the encryption configuration to the same setup process (Terraform), EKS didn't create nodes. Regarding the role, I mean is it for cluster role, for node role?
I tried adding kms:Encrypt, kms:Decrypt with KMS resource to cluster and node roles still the nodes are not created.
jughead
on 4 Jun 2020
Related issues
inductor
路
3Comments
chungath
路
3Comments
AndrewMcFarren
路
3Comments
sarath9985
路
3Comments
MartinDevillers
路
3Comments
Most helpful comment
Hi everyone,
Amazon EKS now supports envelope encryption of K8s secrets using AWS KMS keys!
How it works
Envelope encryption for secrets is available for new Amazon EKS clusters running Kubernetes version 1.13 and above. You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.
When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the linked AWS KMS key.
More details: