Secret encryption

[clickersmudge]

Hi,
With reference to:

1. https://docs.kubermatic.com/kubeone/v1.7/guides/encryption-providers/
2. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

We have included in kubeone.yaml

features:
  # enable encryption providers
  encryptionProviders:
    enable: true

and run

kubeone apply --credentials credentials.yaml --manifest kubeone.yaml --tfjson tf.json --force-upgrade

How can we verify whether data is encrypted?

[kron4eg]

Ensure all relevant data are encrypted

[clickersmudge]

Hi, @kron4eg thank you for your time. I have a few questions thanks in advance for your reply.

1. I understand that to enable encryption just add to kubeone.yaml?

encryptionProviders:
    enable: true

and run

kubeone apply --credentials credentials.yaml --manifest kubeone.yaml --tfjson tf.json --force-upgrade 

Similarly with the exclusion of encryption

encryptionProviders:
    enable: false

2. The KubeOne will automatically generate a configuration similar to this?
No need to add this configuration manually? From the description, it seems that KubeOne also encrypts all secrets automatically?

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- providers:
  - aescbc:
      keys:
      - name: kubeone-xkau31
       secret: 6utsip/8CJ1GFQpM6iWq4oL2z2g8tJ5UkGbIgkSWAAc=
  - identity: {}
  resources:
  - secrets

3. Key rotation can also be enabled, just ?

kubeone apply --credentials credentials.yaml --manifest kubeone.yaml --tfjson tf.json --force-upgrade --rotate-encryption-key

- How do I switch off the rotation after switching on?
- If we understand correctly, key rotation does not work automatically. Do we need to add the appropriate policy?

4. Backups. Important. If everything above is correct then ?
"It’s important to understand that the data will be encrypted during the etcd backup operation as well. This means that when restoring a backup, the cluster should be configured using the same encryption key that was used during the backup. If that’s not the case, the Kubernetes API server will not be able to access the encrypted data."

- Is there any way to check if the secrets are encrypted? E.g. log in to the master plane and check with the command via SSH?
- If KubeOne will pass a generated configuration (EncryptionConfiguration) how to check and save encryption key, which also encrypts backups, if in order to be able to restore the cluster in the future after e.g. Disaster recovery?

[clickersmudge]

Hi @kron4eg
I already know the answer to some of my questions. I will write here again soon to make sure.

However, for now, I would like to report an error.

When I run a new installation of KubeOne with the configuration.

kubeone.yaml

apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
versions:
    kubernetes: "v1.27.11"
clusterNetwork:
    cni:
        canal:
            mtu: 1400
cloudProvider:
    hetzner: {}
    external: true
features:
    encryptionProviders:
        enable: true

Everything works.

However, when I change

features:
    encryptionProviders:
        enable: false

and run

kubeone apply --credentials credentials.yaml --manifest kubeone.yaml --tfjson tf.json --force-upgrade

I have an error

WARN[15:17:26 CET] Retrying task...                             
INFO[15:17:26 CET] Creating machine-controller credentials secret... 
WARN[15:17:26 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 
WARN[15:18:42 CET] Retrying task...                             
INFO[15:18:42 CET] Creating machine-controller credentials secret... 
WARN[15:18:42 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 
WARN[15:20:27 CET] Retrying task...                             
INFO[15:20:28 CET] Creating machine-controller credentials secret... 
WARN[15:20:28 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 
WARN[15:22:56 CET] Retrying task...                             
INFO[15:22:56 CET] Creating machine-controller credentials secret... 
WARN[15:22:56 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 

[clickersmudge]

How do I check that the secrets are encrypted?

I'll add it here, maybe someone will find it useful.
This could be added to the documentation.

kubectl create namespace test
kubectl create secret generic --namespace test test --from-literal=key=value

kubectl get pods --namespace kube-system --selector component=etcd
kubectl exec --stdin --tty --namespace kube-system <NAME> -- sh
    export ETCDCTL_API=3
    export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt
    export ETCDCTL_CERT=/etc/kubernetes/pki/etcd/healthcheck-client.crt
    export ETCDCTL_KEY=/etc/kubernetes/pki/etcd/healthcheck-client.key
    etcdctl get /registry/secrets/test/test # Verify the stored Secret is prefixed with k8s:enc:aescbc:v1:

kubectl delete namespace test