marcusbooyah
commented
2 years ago Azure, AWS and Google have solutions for KMS: https://github.com/Azure/kubernetes-kms https://github.com/kubernetes-sigs/aws-encryption-provider https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin
We need to implement etcd encryption:
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
Things to think about:
OpenShift can optionally configure aesgcm. This requires key rotation before 200K writes and OpenShift Encryption does this somehow. I think kms may be more interesting. We'd implement a key management system provider based on HashiCorp Vault or perhaps forwarding on to an integrated cloud key provider.
We'd need to locate the kms provider somewhere like neon-cluster-operator
Do we encrypt everything in etcd or just selected resources? OpenShift encrypts just: Secrets, ConfigMaps, Routes, OAuth access, and OAuth authorize tokens. This is probably done so make key rotation faster.
Setup would need to generate keys and then read/write all secrured resources via something like:
ready-to-go deployments would need to rotate keys and read/write the secured resources.