Encrypting secrets in Yandex Managed Service for Kubernetes
Use Yandex Key Management Service keys to encrypt secrets, i.e., confidential information, such as passwords, OAuth tokens, and SSH keys, in Yandex Managed Service for Kubernetes. To do this, specify a Key Management Service key when creating a Managed Service for Kubernetes cluster. This key will be used for encryption and decryption.
Make sure you specify the encryption key when creating a Managed Service for Kubernetes cluster, as you cannot add it when updating the cluster.
Specify a key when creating a Managed Service for Kubernetes cluster:
- In the management console, select the folder where you want to create a Managed Service for Kubernetes cluster.
- In the list of services, select Managed Service for Kubernetes.
- Click Create cluster.
- In the Encryption key field, enter the required key or create a new one.
- Enter all the other parameters to create your cluster.
- Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
You can specify a key when creating a Managed Service for Kubernetes cluster in two ways:
-
Using the key ID:
yc managed-kubernetes cluster create \ ... --kms-key-id <key_ID> \ ... -
Using the key name:
yc managed-kubernetes cluster create \ ... --kms-key-name <key_name> \ ...
Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.
For more information about the provider resources, see the documentation on the Terraform website or the mirror.
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Specify a key when creating a Managed Service for Kubernetes cluster:
-
Add a section named
kms_providerto the Managed Service for Kubernetes cluster description:resource "yandex_kubernetes_cluster" "<cluster_name>" { ... kms_provider { key_id = "<key_ID>" } } -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out. This is a test step; no resources will be created.
-
-
Create a Managed Service for Kubernetes cluster.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm that you want to create the resources.
After this, all required resources will be created in the specified folder and the IP addresses of the VMs will be displayed in the terminal. You can check the new resources and their configuration using the management console.
-
Specify the encryption key when creating a Managed Service for Kubernetes cluster. To do this, use the create REST API method for the Cluster resource or the ClusterService/Create gRPC API call.
Provide the key ID in the relevant kmsProvider field parameter.
Managed Service for Kubernetes works with Key Management Service using the Key Management Service provider mechanism. Managed Service for Kubernetes supports the Key Management Service plugin which is used to encrypt and decrypt data encryption keys (DEK) in Key Management Service. Secrets are encrypted using standard Kubernetes tools.