Configuration
Configure Kubernetes
Note
Kubernetes documentation on setting up encryption can be found here
Create an encryption configuration for the Kubernetes api server
./encryption-configuration.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
apiVersion: v2
name: vault-kms-provider
endpoint: unix:///mnt/vault-kms-provider.sock
timeout: 3s
- identity: {}
Point the api server to your encryption configuration
/etc/kubernetes/manifests/kube-apiserver.yaml
# add these commands to your Kubernetes api server configuration
spec:
containers:
- command:
- kube-apiserver
# Point to your encryption file
- --encryption-provider-config="/path/to/your/encryption-configuration.yaml"
This is done in differently in some flavors of kubernetes, if yours is different, consult the documentation of your Kubernetes distro for instructions on how to point Kubernetes to your configuration file.
Provider
Helm values
Note
You can reference the helm values.yaml for a full list of configurations
When deploying via helm, it is important to ensure that the vault.address
is set correctly.
helm install vault-kms-provider --set "vault.address=https://vault.default.svc.cluster.local:8200"
Depending on the type of authentication you require you may want to disable the service account.
helm install vault-kms-provider --set "serviceAccount.create=false"
Environment variables
Below are all the environment variables and their defaults for configuration of the KMS provider
# Url of the vault service
VAULT_ADDRESS = "https://vault.vault.svc.cluster.local:8200"
# Path to the socket used for communication with the Kubernetes API server
SOCKET_PATH = "./sockets/vault-kms-provider.sock"
# The level of permissions granted to the socket, choices are:
# - any: equivalent to 666
# - user: equivalent to 600
# - group: equivalent to 660
SOCKET_PERMISSIONS = "any"
# The string identifier used to store the encryption keys in the vault transit gateway
VAULT_TRANSIT_KEY = "vault-kms-provider"
# Used for authenticating with vault, only use if token authentication is desired.
VAULT_TOKEN = ""
# The endpoint that the health checks will listen on
HEALTH_ENDPOINT = "0.0.0.0:8080"
Set up Vault
Encryption
Enable the transit gateway in Vault for encryption/decryption of data for Kubernetes.
vault secrets enable transit
Create a policy granting the permissions to the KMS provider to encrypt/decrypt data.
./transit.hcl
path "/transit/decrypt/vault-kms-provider" {
capabilities = ["update", "create"]
}
path "/transit/encrypt/vault-kms-provider" {
capabilities = ["update", "create"]
}
path "/transit/keys/vault-kms-provider" {
capabilities = ["read"]
}
Add the policy to vault
vault policy write vault-kms-provider transit.hcl
Authentication
Enable authentication via kubernetes
vault auth enable kubernetes
Set the host URL to the kubernetes API
vault write auth/kubernetes/config kubernetes_host="https://kubernetes.default.svc/"
Create a role for the KMS provider's service account so that it can authenticate with vault.
vault write auth/kubernetes/role/vault-kms-provider \
bound_service_account_names=vault-kms-provider \
bound_service_account_namespaces=default \
audience=vault \
token_policies=vault-kms-provider \
ttl=1h
With vault configured you should be able to deploy the vault-kms-provider to kubernetes without error.