kubernetes: Custom resources don't get encrypted in etcd
What happened:
Trying to encrypt a custom resource in etcd with the following EncryptionConfiguration in kube-apiserver does not lead to encrypted state in etcd.
In this example the custom resource is named “tokens” and belongs to the group “management.cattle.io”:
`apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources:
- providers:
- aescbc:
keys:
- name: some-key secret: some-secret
- identity: {} resources:
- tokens.management.cattle.io
- aescbc:
keys:
- providers:
- aescbc:
keys:
- name: some-key secret: some-secret
- identity: {} resources:
- secrets`
- aescbc:
keys:
What you expected to happen:
Expecting custom resources to be encrypted in etcd if queries e.g. like this:
etcdctl get /registry/management.cattle.io/tokens/some-token
How to reproduce it (as minimally and precisely as possible):
Activate encryption on the kube-apiserver with a EncryptionConfiguration definition on any custom resource and query state in etcd.
Anything else we need to know?:
Tested this both with namespaced and non-namespaced custom resources. In both cases encryption does not work.
Environment:
- Kubernetes version: v1.20.6
- Cloud provider or hardware configuration: Openstack
- OS: flatcar 2765.2.3
- Kernel: Linux host-10-13-39-90 5.10.32-flatcar #1 SMP Tue Apr 27 22:38:30 -00 2021 x86_64 Intel Core Processor (Haswell, no TSX, IBRS) GenuineIntel GNU/Linux
- Install tools: rke version v1.2.9
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (13 by maintainers)
/unassign @ankeesler /assign @ritazh cc @aramase
Rita wanted something difficult to work on 😄
See #104662 and the other comments I have made in this issue.
Working on it! 😃