Quick Start

Configuration

Installation

Configuration

Configure Kubernetes

Note

Kubernetes documentation on setting up encryption can be found here

Create an encryption configuration for the Kubernetes api server

./encryption-configuration.yaml

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - kms:
          apiVersion: v2
          name: vault-kms-provider
          endpoint: unix:///mnt/vault-kms-provider.sock
          timeout: 3s
      - identity: {}

Point the api server to your encryption configuration

/etc/kubernetes/manifests/kube-apiserver.yaml

# add these commands to your Kubernetes api server configuration
spec:
  containers:
    - command:
        - kube-apiserver
        # Point to your encryption file
        - --encryption-provider-config="/path/to/your/encryption-configuration.yaml"

This is done in differently in some flavors of kubernetes, if yours is different, consult the documentation of your Kubernetes distro for instructions on how to point Kubernetes to your configuration file.

Provider

Helm values

Note

You can reference the helm values.yaml for a full list of configurations

When deploying via helm, it is important to ensure that the vault.address is set correctly.

helm install vault-kms-provider --set "vault.address=https://vault.default.svc.cluster.local:8200"

Depending on the type of authentication you require you may want to disable the service account.

helm install vault-kms-provider --set "serviceAccount.create=false"

Environment variables

Below are all the environment variables and their defaults for configuration of the KMS provider

# Url of the vault service
VAULT_ADDRESS = "https://vault.vault.svc.cluster.local:8200"

# Path to the socket used for communication with the Kubernetes API server
SOCKET_PATH = "./sockets/vault-kms-provider.sock"

# The level of permissions granted to the socket, choices are:
#   - any: equivalent to 666
#   - user: equivalent to 600
#   - group: equivalent to 660
SOCKET_PERMISSIONS = "any"

# The string identifier used to store the encryption keys in the vault transit gateway
VAULT_TRANSIT_KEY = "vault-kms-provider"

# Used for authenticating with vault, only use if token authentication is desired.
VAULT_TOKEN = ""

# The endpoint that the health checks will listen on
HEALTH_ENDPOINT = "0.0.0.0:8080"

Set up Vault

Encryption

Enable the transit gateway in Vault for encryption/decryption of data for Kubernetes.

vault secrets enable transit

Create a policy granting the permissions to the KMS provider to encrypt/decrypt data.

./transit.hcl

path "/transit/decrypt/vault-kms-provider" {
  capabilities = ["update", "create"]
}
path "/transit/encrypt/vault-kms-provider" {
  capabilities = ["update", "create"]
}
path "/transit/keys/vault-kms-provider" {
  capabilities = ["read"]
}

Add the policy to vault

vault policy write vault-kms-provider transit.hcl

Authentication

Enable authentication via kubernetes

vault auth enable kubernetes

Set the host URL to the kubernetes API

vault write auth/kubernetes/config kubernetes_host="https://kubernetes.default.svc/"

Create a role for the KMS provider's service account so that it can authenticate with vault.

vault write auth/kubernetes/role/vault-kms-provider \
    bound_service_account_names=vault-kms-provider \
    bound_service_account_namespaces=default \
    audience=vault \
    token_policies=vault-kms-provider \
    ttl=1h

With vault configured you should be able to deploy the vault-kms-provider to kubernetes without error.