From 05c7b797151d27c90114cba858b448ce39b7b2e8 Mon Sep 17 00:00:00 2001 From: yoyocircle <61043261+yoyocircle@users.noreply.github.com> Date: Tue, 14 May 2024 17:59:51 +0800 Subject: [PATCH 1/2] docs: adjust used fields and fix typos Signed-off-by: yoyocircle <61043261+yoyocircle@users.noreply.github.com> --- docs/manual-install.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/manual-install.md b/docs/manual-install.md index b3a765d8..fe0af344 100644 --- a/docs/manual-install.md +++ b/docs/manual-install.md @@ -27,11 +27,11 @@ This guide demonstrates steps required to enable the KMS Plugin for Key Vault in [`/etc/kubernetes/azure.json`](https://kubernetes-sigs.github.io/cloud-provider-azure/install/configs/) is a well-known JSON file in each node that provides the details about which method KMS Plugin uses for access to Keyvault: - | Authentication method | `/etc/kubernetes/azure.json` fields used | - | -------------------------------- | ------------------------------------------------------------------------------------------- | - | System-assigned managed identity | `useManagedIdentityExtension: true` and `userAssignedIdentityID:""` | - | User-assigned managed identity | `useManagedIdentityExtension: true` and `userAssignedIdentityID:""` | - | Service principal (default) | `aadClientID: ""` and `aadClientSecret: ""` | + | Authentication method | `/etc/kubernetes/azure.json` fields used | + | -------------------------------- | ------------------------------------------------------------------------------------------------------ | + | System-assigned managed identity | `useManagedIdentityExtension: true` and `userAssignedIdentityID:""` | + | User-assigned managed identity | `useManagedIdentityExtension: true` and `userAssignedIdentityID:""` | + | Service principal (default) | `tenantId: ""`, `aadClientId: ""` and `aadClientSecret: ""` | #### Obtaining the ID of the cluster managed identity/service principal From 81994214f5fc8a1c89200f96704177d089c8157b Mon Sep 17 00:00:00 2001 From: yoyocircle <61043261+yoyocircle@users.noreply.github.com> Date: Tue, 14 May 2024 18:05:52 +0800 Subject: [PATCH 2/2] docs: update the descriptions of setting steps 1. adjust the wrong paths 2. add description about configuring KMS v2 3. Mounting the encryption configuration is also required Signed-off-by: yoyocircle <61043261+yoyocircle@users.noreply.github.com> --- docs/manual-install.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/manual-install.md b/docs/manual-install.md index fe0af344..c95ce725 100644 --- a/docs/manual-install.md +++ b/docs/manual-install.md @@ -137,7 +137,7 @@ This guide demonstrates steps required to enable the KMS Plugin for Key Vault in ### 4. Create encryption configuration - Create a new encryption configuration file `/etc/kubernetes/manifests/encryptionconfig.yaml` using the appropriate properties for the `kms` provider: + Create a new encryption configuration file `/etc/kubernetes/enc/encryptionconfig.yaml` using the appropriate properties for the `kms` provider: ```yaml kind: EncryptionConfiguration @@ -147,6 +147,8 @@ This guide demonstrates steps required to enable the KMS Plugin for Key Vault in - secrets providers: - kms: + # if you are using KMSv2, please specify the api version + # apiVersion: v2 name: azurekmsprovider endpoint: unix:///opt/azurekms.socket # This endpoint must match the value defined in --listen-addr for the KMS plugin cachesize: 1000 @@ -155,12 +157,12 @@ This guide demonstrates steps required to enable the KMS Plugin for Key Vault in The encryption configuration file needs to be accessible by all the api servers. -### 5. Modify `/etc/kubernetes/kube-apiserver.yaml` +### 5. Modify `/etc/kubernetes/manifests/kube-apiserver.yaml` Add the following flag: ```yaml - --encryption-provider-config=/etc/kubernetes/encryptionconfig.yaml + --encryption-provider-config=/etc/kubernetes/enc/encryptionconfig.yaml ``` Mount `/opt` to access the socket: @@ -168,10 +170,17 @@ This guide demonstrates steps required to enable the KMS Plugin for Key Vault in ```yaml ... volumeMounts: + - name: enc + mountPath: /etc/kubernetes/enc + readOnly: true - name: "sock" mountPath: "/opt" ... volumes: + - name: enc + hostPath: + path: /etc/kubernetes/enc + type: DirectoryOrCreate - name: "sock" hostPath: path: "/opt"