Kubernetes Secret Data Encryption at Rest - v1.25 - KMS v2 alpha1 AWS KMS
Рет қаралды 1,938
Күн бұрынKubernetes Secret Data Encryption at Rest - v1.25 - KMS v2 alpha1 AWS KMS
Chapters:
00:00 Introduction
00:14 Encryption, Decryption Symmetric Encryption
02:15 Envelope Encryption AWS KMS
05:17 KMS Decryption
06:19 Kubernetes Secrets API call - default nature
12:07 Encrypt Secret data at Rest
12.30 Kubernetes EncryptionConfiguration
14:53 Kubernetes EncryptionConfiguration Providers
15:47 Kubernetes KMS Provider Encryption Architecture
19:22 How to use KMS Provider
20:56 KMS v1 - KMS v2 (alpha1)
21:58 Demo - Encrypt Secret data at Rest using EncryptionConfiguration
YAML files
github.com/ramanagali/yaml
K8s Cluster
github.com/ramanagali/k8s-clu...
Documentation:
kubernetes.io/docs/tasks/admi...
kubernetes.io/docs/tasks/admi...
kubernetes.io/blog/2022/09/09...
CKS playlist: • Certified Kubernetes S...
Vault playlist: • Hashicorp Vault Associate
Connect with me on Slack: join.slack.com/t/learnwithgvr...
Like, Comment & Subscribe Learn with GVR
#cks #kubenetes #kubernetessecurity #vault #k8s #learnwithgvr #aws #awscommunity
@jackg1067 Жыл бұрын
Thanks for the useful Video. Can I know how to use the same method for AWS EKS where we dont have access to API server and ETCD.
@learnwithgvr Жыл бұрын
Good question....for such AWS EKS managed services we have to use AWS provided architectures to use AWS secret managers using IAM & secret store CSI or so( pls have a look at my video on CSI inline volumes) There is other simple way also you can acceess secrets from EKS cluster pods using IAM roles
@aniketyadav1622 Жыл бұрын
I just updated the "kube-apiserver.yaml" just like you told in the video. How much downtime is estimated for the nodes to be back?
@learnwithgvr Жыл бұрын
2 to 5 minutes max (if all good with configuration)
@marius-mihailionte339 Жыл бұрын
Hope I understood it wrong, but during KMS Decryption section you mentioned that a user use KMS CMK to generate another Plaintext DEK to decrypt cypher text data. Based on my knowledge, Encrypted DEK stored with cypher text is sent to KMS to be decrypted and then used in decryption process.
@learnwithgvr Жыл бұрын
Yes you are correct... during decryption, encryption DEK will be sent to KMS to generate plain text DEK. Thanks
@devathanagapuneeth7269 Жыл бұрын
Slack link in the description is not working. Could you provide the new link ?
@learnwithgvr Жыл бұрын
Pls use new link i just updated in the description
@SaravanaKumar-km2lb Жыл бұрын
Is there possible to integrate vault here ?? Is that recommended??
@learnwithgvr Жыл бұрын
To Achieve this need Vault KMS Provider for kubernetes... I can see few i.e. by oracle & ondat github.com/oracle/kubernetes-vault-kms-plugin www.ondat.io/webinars/secure-all-your-k8s-secrets-with-a-kms-provider-plugin-and-hashicorp-vault Sorry i dont have much more information on this. However Once KMS v2 goes GA there will be many providers for sure
@SaravanaKumar-km2lb Жыл бұрын
@@learnwithgvr thanks for your reply sir ♥️
@nithinjohn135 Жыл бұрын
Could you do video on external secret operator syncing with k8s
@learnwithgvr Жыл бұрын
Good topic. Sure will try
@nithinjohn135 Жыл бұрын
@@learnwithgvraws SSM and vault also we can use for that I guess
@nithinjohn135 Жыл бұрын
@@learnwithgvr could you please do a video there are only few videos there for this
@melaniebaldauf7587 Жыл бұрын
promosm
Learn with GVR
Рет қаралды 2,6 М.
Learn with GVR
Рет қаралды 7 М.
CNCF [Cloud Native Computing Foundation]
Рет қаралды 1,6 М.
knowledgeindia - LearnCloud
Рет қаралды 5 М.