Encrypting secrets in Managed Service for Kubernetes
Use KMS keys to encrypt secrets, that is, confidential information such as passwords, OAuth tokens, and SSH keys, in Yandex Managed Service for Kubernetes. To do this, specify a KMS key when creating a cluster. This key will be used for encryption and decryption.
Make sure you specify the encryption key when creating a Kubernetes cluster, as you can't add it when updating the cluster.
Specify a key when creating a Kubernetes cluster:
- In management console, select the folder where you want to create your Kubernetes cluster.
- In the list of services, select Managed Service for Kubernetes.
- Click Create cluster.
- In the Encryption key field, enter the required key or create a new one.
- Fill in other parameters for creating your cluster.
- Click Create cluster.
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
You can specify a key when creating a Kubernetes cluster in two ways.
-
Using the key ID:
yc k8s create --kms-key-id <encryption key ID> \ ... -
Using the key name:
yc k8s create --kms-key-name <encryption key name> \ ...
Managed Service for Kubernetes interacts with KMS using the KMS provider mechanism. Managed Service for Kubernetes supports the KMS plugin that is used to encrypt and decrypt data encryption keys (DEK) in KMS. Secrets are encrypted using standard Kubernetes tools.