From 36393d77d30f8f0383ca61b8da0d5239f4b7f96e Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 23 Feb 2022 12:04:18 +0100 Subject: [PATCH] Encrypting Secret Data at Rest (#8574) * change default value for Encrypting Secret Data at Rest to secretbox, remove experimental flag and add documentation * fix MD012/no-multiple-blanks --- docs/encrypting-secret-data-at-rest.md | 22 +++++++++++++++++++ .../group_vars/k8s_cluster/k8s-cluster.yml | 2 +- .../control-plane/defaults/main/main.yml | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 docs/encrypting-secret-data-at-rest.md diff --git a/docs/encrypting-secret-data-at-rest.md b/docs/encrypting-secret-data-at-rest.md new file mode 100644 index 000000000..36742821e --- /dev/null +++ b/docs/encrypting-secret-data-at-rest.md @@ -0,0 +1,22 @@ +# Encrypting Secret Data at Rest + +Before enabling Encrypting Secret Data at Rest, please read the following documentation carefully. + + + +As you can see from the documentation above, 5 encryption providers are supported as of today (22.02.2022). + +As default value for the provider we have chosen `secretbox`. + +Alternatively you can use the values `identity`, `aesgcm`, `aescbc` or `kms`. + +| Provider | Why we have decided against the value as default | +|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| identity | no encryption | +| aesgcm | Must be rotated every 200k writes | +| aescbc | Not recommended due to CBC's vulnerability to padding oracle attacks. | +| kms | Is the official recommended way, but assumes that a key management service independent of Kubernetes exists, we cannot assume this in all environments, so not a suitable default value. | + +## Details about Secretbox + +Secretbox uses [Poly1305](https://cr.yp.to/mac.html) as message-authentication code and [XSalsa20](https://www.xsalsa20.com/) as secret-key authenticated encryption and secret-key encryption. diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml index 242cd39d8..ac23e5b5d 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml @@ -146,7 +146,7 @@ kube_proxy_nodeport_addresses: >- # {{ inventory_hostname }} # {%- endif -%} -## Encrypting Secret Data at Rest (experimental) +## Encrypting Secret Data at Rest kube_encrypt_secret_data: false # Graceful Node Shutdown (Kubernetes >= 1.21.0), see https://kubernetes.io/blog/2021/04/21/graceful-node-shutdown-beta/ diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 65ba43a46..ad7037029 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -144,7 +144,7 @@ controller_manager_extra_volumes: {} kube_encrypt_secret_data: false kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}" # Must be either: aescbc, secretbox or aesgcm -kube_encryption_algorithm: "aescbc" +kube_encryption_algorithm: "secretbox" # Which kubernetes resources to encrypt kube_encryption_resources: [secrets]