| title | description | services | ms.topic | ms.date |
|---|---|---|---|---|
Use KMS etcd encryption in Azure Kubernetes Service (AKS) (Preview) |
Learn how to use kms etcd encryption with Azure Kubernetes Service (AKS) |
container-service |
article |
06/06/2022 |
This article shows you how to enable encryption at rest for your Kubernetes data in etcd using Azure Key Vault with Key Management Service (KMS) plugin. The KMS plugin allows you to:
- Use a key in Key Vault for etcd encryption
- Bring your own keys
- Provide encryption at rest for secrets stored in etcd
For more information on using the KMS plugin, see Encrypting Secret Data at Rest.
[!INCLUDE preview features callout]
- An Azure subscription. If you don't have an Azure subscription, you can create a free account.
- Azure CLI installed.
You also need the aks-preview Azure CLI extension version 0.5.58 or later. Install the aks-preview Azure CLI extension by using the az extension add command. Or install any available updates by using the az extension update command.
# Install the aks-preview extension
az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview
To use the feature, you must also enable the AzureKeyVaultKmsPreview feature flag on your subscription.
Register the AzureKeyVaultKmsPreview feature flag by using the az feature register command, as shown in the following example:
az feature register --namespace "Microsoft.ContainerService" --name "AzureKeyVaultKmsPreview"
It takes a few minutes for the status to show Registered. Verify the registration status by using the az feature list command:
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AzureKeyVaultKmsPreview')].{Name:name,State:properties.state}"
When ready, refresh the registration of the Microsoft.ContainerService resource provider by using the az provider register command:
az provider register --namespace Microsoft.ContainerService
The following limitations apply when you integrate KMS etcd encryption with AKS:
- Disabling of the KMS etcd encryption feature.
- Changing of key ID, including key name and key version.
- Deletion of the key, Key Vault, or the associated identity.
- KMS etcd encryption doesn't work with System-Assigned Managed Identity. The keyvault access-policy is required to be set before the feature is enabled. In addition, System-Assigned Managed Identity isn't available until cluster creation, thus there's a cycle dependency.
- Using more than 2000 secrets in a cluster.
- Bring your own (BYO) Azure Key Vault from another tenant.
Warning
Deleting the key or the Azure Key Vault is not supported and will cause your cluster to become unstable.
If you need to recover your Key Vault or key, see the Azure Key Vault recovery management with soft delete and purge protection documentation.
Use az keyvault create to create a KeyVault.
az keyvault create --name MyKeyVault --resource-group MyResourceGroup
Use az keyvault key create to create a key.
az keyvault key create --name MyKeyName --vault-name MyKeyVault
Use az keyvault key show to export the Key ID.
export KEY_ID=$(az keyvault key show --name MyKeyName --vault-name MyKeyVault --query 'key.kid' -o tsv)
echo $KEY_ID
The above example stores the Key ID in KEY_ID.
Use az identity create to create a User-assigned managed identity.
az identity create --name MyIdentity --resource-group MyResourceGroup
Use az identity show to get Identity Object ID.
IDENTITY_OBJECT_ID=$(az identity show --name MyIdentity --resource-group MyResourceGroup --query 'principalId' -o tsv)
echo $IDENTITY_OBJECT_ID
The above example stores the value of the Identity Object ID in IDENTITY_OBJECT_ID.
Use az identity show to get Identity Resource ID.
IDENTITY_RESOURCE_ID=$(az identity show --name MyIdentity --resource-group MyResourceGroup --query 'id' -o tsv)
echo $IDENTITY_RESOURCE_ID
The above example stores the value of the Identity Resource ID in IDENTITY_RESOURCE_ID.
Use az keyvault set-policy to create an Azure KeyVault policy.
az keyvault set-policy -n MyKeyVault --key-permissions decrypt encrypt --object-id $IDENTITY_OBJECT_ID
Create an AKS cluster using the az aks create command with the --enable-azure-keyvault-kms and --azure-keyvault-kms-key-id parameters to enable KMS etcd encryption.
az aks create --name myAKSCluster --resource-group MyResourceGroup --assign-identity $IDENTITY_RESOURCE_ID --enable-azure-keyvault-kms --azure-keyvault-kms-key-id $KEY_ID
Use az aks update with the --enable-azure-keyvault-kms and --azure-keyvault-kms-key-id parameters to enable KMS etcd encryption on an existing cluster.
az aks update --name myAKSCluster --resource-group MyResourceGroup --enable-azure-keyvault-kms --azure-keyvault-kms-key-id $KEY_ID
Use below command to update all secrets. Otherwise, the old secrets aren't encrypted.
kubectl get secrets --all-namespaces -o json | kubectl replace -f -