Encrypting secrets in Yandex Managed Service for Kubernetes
Use Yandex Key Management Service keys to encrypt secrets, i.e., confidential information, such as passwords, OAuth tokens, and SSH keys, in Yandex Managed Service for Kubernetes. To do this, specify a Key Management Service key when creating a Managed Service for Kubernetes cluster. This key will be used for encryption and decryption.
Make sure you specify the encryption key when creating a Managed Service for Kubernetes cluster, as you cannot add it when updating the cluster.
Required paid resources
The cost of support for the described solution includes a Key Management Service fee: number of active key versions (with Active or Scheduled For Destruction for status) and completed cryptographic operations (see Key Management Service pricing).
Specify a key when creating a Managed Service for Kubernetes cluster:
- In the management console, select the folder where you want to create a Managed Service for Kubernetes cluster.
- In the list of services, select Managed Service for Kubernetes.
- Click Create cluster.
- In the Encryption key field, enter the required key or create a new one.
- Enter all the other parameters to create your cluster.
- Click Create.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
You can specify a key when creating a Managed Service for Kubernetes cluster in two ways:
-
Using the key ID:
yc managed-kubernetes cluster create \ ... --kms-key-id <key_ID> \ ... -
Using the key name:
yc managed-kubernetes cluster create \ ... --kms-key-name <key_name> \ ...
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the documentation on the Terraform website or mirror website.
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
Specify a key when creating a Managed Service for Kubernetes cluster:
-
Add a section named
kms_providerto the Managed Service for Kubernetes cluster description:resource "yandex_kubernetes_cluster" "<cluster_name>" { ... kms_provider { key_id = "<key_ID>" } } -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out. This is a test step; no resources will be created.
-
-
Create a Managed Service for Kubernetes cluster.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm that you want to create the resources.
After this, all required resources will be created in the specified folder and the IP addresses of the VMs will be displayed in the terminal. You can check the new resources and their configuration using the management console.
-
Specify the encryption key when creating a Managed Service for Kubernetes cluster. To do this, use the create REST API method for the Cluster resource or the ClusterService/Create gRPC API call.
Provide the key ID in the relevant kmsProvider field parameter.
Managed Service for Kubernetes works with Key Management Service using the Key Management Service provider mechanism. Managed Service for Kubernetes supports the Key Management Service plugin which is used to encrypt and decrypt data encryption keys (DEK) in Key Management Service. Secrets are encrypted using standard Kubernetes tools.