pulumi-azure-native icon indicating copy to clipboard operation
pulumi-azure-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Improve the documentation for the configuration of KMS etcd encryption for an AKS cluster

Open ArtunSubasiStihl opened this issue 10 months ago • 2 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Per default, Kubernetes secrets resources are not encrypted at rest. The values within the secrets are encoded with base64 which is not an encryption. AKS supports an KMS etcd encryption which is disabled by default. More information about this can be found in the official Azure documentation here.

The Azure classic provider seems to support the KMS etcd encryption using the keyManagementService attribute as documented here.

~~If I am not mistaken, the ManagedCluster resource in the azure-native provider does not support to configure the KMS etcd encryption and I would really love to have this feature.~~ Update: It is indeed supported as suggested in @danielrbradley comment below.

If it is supported, it would be great to have documentation and examples about this feature.

Affected area/feature

ArtunSubasiStihl avatar Apr 05 '24 14:04 ArtunSubasiStihl

Hi @ArtunSubasiStihl thanks for reaching out.

I'm not very familiar with this particual integration. The Azure Native documentation link you sent looks like the right setting - SecurityProfile.AzureKeyVaultKms looks equivilent to the classic KeyManagementService properties. Both contain an identifier for the key vault and the key.

Have you tried using this setting and run into issues?

On adding further examples, these are currently auto-generated from the Azure specification, but it might be possible to add additional hand-written examples in the future too if that's the remaining ask here.

danielrbradley avatar Apr 09 '24 13:04 danielrbradley

Thanks @danielrbradley ,

using the SecurityProfile with the azureKeyVaultKms was exactly what I was searching for. I could activate the etcd encryption by adding this block to the ManagedCluster resource:

securityProfile: {
   azureKeyVaultKms: { 
     enabled: true,
     keyId: encryptionKey.keyUriWithVersion,
   },
},

The encryptionKey references a keyvault.Key.

I find the following description in the documentation misleading because I thought this was about a general KMS configuration for the security profile whatever that means:

Azure Key Vault key management service settings for the security profile.

But the link in the description actually leads to a k8s documentation with the titel "Using a KMS provider for data encryption".

Anyway the feature is there. The docs (description and examples) can be improved. I'll update the description to avoid confusion.

ArtunSubasiStihl avatar Apr 10 '24 15:04 ArtunSubasiStihl