Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Key
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Key
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Hardware Security Module (HSM)
    • Quotas and limits
  • Practical guidelines
    • All tutorials
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the CLI and API Yandex Cloud
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. Practical guidelines
  2. Encrypting secrets in Managed Service for Kubernetes

Encrypting secrets in Yandex Managed Service for Kubernetes

Written by
Yandex Cloud
  • See also

Use Key Management Service keys to encrypt secrets, that is, confidential information such as passwords, OAuth tokens, and SSH keys, in Yandex Managed Service for Kubernetes. To do this, specify a Key Management Service key when creating a Kubernetes cluster. This key will be used for encryption and decryption.

Make sure you specify the encryption key when creating a cluster, as you can't add it when updating the cluster.

Management console
CLI
Terraform
API

Specify a key when creating a Kubernetes cluster:

  1. In the management console, select the folder where you want to create your cluster.
  2. In the list of services, select Managed Service for Kubernetes.
  3. Click Create cluster.
  4. In the Encryption key field, enter the required key or create a new one.
  5. Fill in other parameters for creating your cluster.
  6. Click Create cluster.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

You can specify a key when creating a Kubernetes cluster in two ways.

  • Using the key ID:

    yc managed-kubernetes cluster create \
    ...
      --kms-key-id <encryption key ID> \
    ...
    
  • Using the key name:

    yc managed-kubernetes cluster create \
    ...
      --kms-key-name <encryption key name> \
    ...
    

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it by configuration files. They store the infrastructure description in HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Mozilla Public License.

For more information about the provider resources, see the documentation on the Terraform site or mirror site.

If you change the configuration files, Terraform automatically determines which part of your configuration is already deployed and what should be added or removed.

If you don't have Terraform, install it and configure the provider.

Specify a key when creating a cluster in Kubernetes:

  1. Add a kms_provider block to the cluster description:

    resource "yandex_kubernetes_cluster" "<cluster name>" {
    ...
      kms_provider {
        key_id = "<encryption key ID>"
      }
    }
    
  2. Make sure that the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run the check using the command:

      terraform plan
      

    If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If there are errors in the configuration, Terraform points them out. This is a test step. No resources are created.

  3. Create a cluster.

    1. If the configuration doesn't contain any errors, run the command:

      terraform apply
      
    2. Confirm that you want to create the resources.

    After this, all the necessary resources will be created in the specified folder and the IP addresses of the VMs will be displayed in the terminal. You can check resource availability and their settings in the management console.

Specify the encryption key when creating a Kubernetes cluster. To do this, use the create method for the Cluster and pass the key id in the kmsProvider.keyId parameter.

Managed Service for Kubernetes interacts with Key Management Service using the Key Management Service provider mechanism. Managed Service for Kubernetes supports the Key Management Service plugin that is used to encrypt and decrypt data encryption keys (DEK) in Key Management Service. Secrets are encrypted using standard Kubernetes tools.

See also

  • Getting started with Managed Service for Kubernetes.
  • Envelope encryption.
  • Creating secrets in Kubernetes.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC