Encrypting secrets in Yandex Managed Service for Kubernetes
Use Key Management Service keys to encrypt secrets, that is, confidential information such as passwords, OAuth tokens, and SSH keys, in Yandex Managed Service for Kubernetes. To do this, specify a Key Management Service key when creating a Kubernetes cluster. This key will be used for encryption and decryption.
Make sure you specify the encryption key when creating a cluster, as you can't add it when updating the cluster.
Specify a key when creating a Kubernetes cluster:
- In the management console, select the folder where you want to create your cluster.
- In the list of services, select Managed Service for Kubernetes.
- Click Create cluster.
- In the Encryption key field, enter the required key or create a new one.
- Fill in other parameters for creating your cluster.
- Click Create cluster.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
You can specify a key when creating a Kubernetes cluster in two ways.
-
Using the key ID:
yc managed-kubernetes cluster create \ ... --kms-key-id <encryption key ID> \ ... -
Using the key name:
yc managed-kubernetes cluster create \ ... --kms-key-name <encryption key name> \ ...
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it by configuration files. They store the infrastructure description in HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Mozilla Public License.
For more information about the provider resources, see the documentation on the Terraform site or mirror site.
If you change the configuration files, Terraform automatically determines which part of your configuration is already deployed and what should be added or removed.
If you don't have Terraform, install it and configure the provider.
Specify a key when creating a cluster in Kubernetes:
-
Add a
kms_providerblock to the cluster description:resource "yandex_kubernetes_cluster" "<cluster name>" { ... kms_provider { key_id = "<encryption key ID>" } } -
Make sure that the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run the check using the command:
terraform plan
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If there are errors in the configuration, Terraform points them out. This is a test step. No resources are created.
-
-
Create a cluster.
-
If the configuration doesn't contain any errors, run the command:
terraform apply -
Confirm that you want to create the resources.
After this, all the necessary resources will be created in the specified folder and the IP addresses of the VMs will be displayed in the terminal. You can check resource availability and their settings in the management console.
-
Managed Service for Kubernetes interacts with Key Management Service using the Key Management Service provider mechanism. Managed Service for Kubernetes supports the Key Management Service plugin that is used to encrypt and decrypt data encryption keys (DEK) in Key Management Service. Secrets are encrypted using standard Kubernetes tools.