You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi
We'd like to use the --secrets-encryption option to decrypt the Secrets we create on our K3S deployed cluster.
According to the documentation, the K3s impl will do the following:
Generate an AES-CBC key
Generate an encryption config file with the generated key
Pass the config to the KubeAPI as encryption-provider-config
Once enabled any created secret will be encrypted with this key
We have a use case, that while Upgrading our system we might also upgrade the K3S version/deployment.
What would happen to the AES-CBC key in that case ? Would it be regenerated ? If that so, would it mean that we need to decrypt all our Secrets first.
Is it possible to disable the --secrets-encryption and rely on K3S to decrypt all the Secrets resources?
Another issue is the option to Rotating a decryption key - is it possible to rotate the AES-CBC key ?
We need it in order for being compatible with security regulations.
Bottom line, we need to know if we could have access to the encryption config file that is being generated by the K3S to manipulate its configuration (both the key and the order of the providers)
Tnx
The text was updated successfully, but these errors were encountered:
This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 180 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.
Hi
We'd like to use the
--secrets-encryption
option to decrypt the Secrets we create on our K3S deployed cluster.According to the documentation, the K3s impl will do the following:
We have a use case, that while Upgrading our system we might also upgrade the K3S version/deployment.
What would happen to the
AES-CBC key
in that case ? Would it be regenerated ? If that so, would it mean that we need to decrypt all our Secrets first.Is it possible to disable the
--secrets-encryption
and rely on K3S to decrypt all the Secrets resources?Another issue is the option to Rotating a decryption key - is it possible to rotate the
AES-CBC key
?We need it in order for being compatible with security regulations.
Bottom line, we need to know if we could have access to the
encryption config file
that is being generated by the K3S to manipulate its configuration (both the key and the order of the providers)Tnx
The text was updated successfully, but these errors were encountered: