search

kubernetes-sigs / cluster-api

Home for Cluster API, a subproject of sig-cluster-lifecycle
https://cluster-api.sigs.k8s.io
Apache License 2.0
3.45k stars 1.27k forks source link

Option to enable data encryption at-rest #10728

Open bighiro opened 1 month ago

bighiro commented 1 month ago

What would you like to be added (User Story)?

As an cluster admin, I should be able to enable the data encryption during the cluster bootstrap.

Detailed Description

Requesting for an option to create and enable the data encryption during the kubadm bootstrap in control-plane

There are some other flavors like RKE, where the option to enable the secret encryption is provided, which automatically created the encryptionproviderconfig file and enables it in the api-server.

Reference : https://rke.docs.rancher.com/config-options/secrets-encryption#enable-encryption

Expecting for the similar behaviour with clusterapi , irrespective with providers

Anything else you would like to add?

No response

Label(s) to be applied

/kind feature One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels.

k8s-ci-robot commented 1 month ago

This issue is currently awaiting triage.

If CAPI contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
fabriziopandini commented 1 week ago

data encryption requires configurations when layout out control plane components.

In Cluster API this is a responsibility of control plane providers; most of them are implemented outside of this repo, while we have a KCP control plane provider in tree.

Doing encryption at rest in KCP is alredy possible by doing two settings:

I don't see much value in reducing two settings into one; also this will imply some opinionated decision about what to put into the encryption-config.yaml file, which a product like Rancher can do, but the community cannot unless there is agreement.

Considering this I'm personally -1 to the idea, unless we come up with some consensus about encryption-config, related certificates etc.

/priority backlog /kind proposal (assuming we have to write a proposal to get/document consensus)