search

πŸ”Kubernetes Secrets Encrypted At Rest Labs

hashtag
🎯 Objective

Learn how to encrypt Kubernetes Secrets at rest in etcd using AES-CBC encryption.

hashtag
🧰 Prerequisites

  • Kubernetes cluster with admin access

  • SSH access to the control plane (master node)

  • kubectl configured

hashtag
⚠️ Important

Always backup your cluster before modifying critical configurations!

hashtag
πŸ”Ή Lab 1: SSH into the Control Plane

ssh user@<control-plane-node-ip>

βœ… You need access to /etc/kubernetes/manifests/kube-apiserver.yaml.

hashtag
πŸ”Ή Lab 2: Create an Encryption Configuration File

Generate a 32-byte base64 key:

Save it securely. Then create /etc/kubernetes/encryption-config.yaml:

βœ… This configuration encrypts secrets using AES-CBC encryption.

hashtag
πŸ”Ή Lab 3: Edit kube-apiserver to Use Encryption

Edit /etc/kubernetes/manifests/kube-apiserver.yaml and add the following flag under spec.containers.command:

Example fragment:

βœ… Save and exit.

Kubelet will automatically restart the kube-apiserver pod with the new config.

hashtag
πŸ”Ή Lab 4: Verify Encryption Provider is Active

Create a new secret:

βœ… Now secrets should be encrypted in etcd!

hashtag
πŸ”Ή Lab 5: (Optional) Simulate Inspecting etcd Storage

If you can access etcd directly (dangerous in production!):

βœ… Instead of base64, you'll see unreadable ciphertext.

hashtag
πŸ”Ή Lab 6: Clean Up

hashtag
βœ… Wrap-Up

  • βœ… Generated an encryption key and configuration

  • βœ… Modified the kube-apiserver to enable encryption

  • βœ… Verified secrets are encrypted at rest in etcd

  • βœ… Improved cluster security by protecting sensitive data

PreviousKubernetes Secrets Are Not Encrypted LabsNextExternal Secrets Management

Last updated