Etcd encryption in OpenShift Container Platform is a crucial feature for protecting sensitive data stored in the cluster. In this article, we will explore the supported encryption types, the benefits of etcd encryption, and a step-by-step guide to enable it properly.
π Supported Encryption Types
OpenShift supports two encryption methods for etcd data:
AES-CBC
- Uses AES-CBC with PKCS#7 padding and a 32-byte key.
- Encryption keys are rotated weekly.
AES-GCM
- Uses AES-GCM with a random nonce and a 32-byte key.
- Encryption keys are rotated weekly.
π About Etcd Encryption
By default, etcd data in OpenShift is not encrypted. Enabling etcd encryption adds an extra layer of security, protecting sensitive data from exposure in case of a backup leak.
Resources Affected by Etcd Encryption:
β Secrets
β ConfigMaps
β Routes
β OAuth Access Tokens
β OAuth Authorization Tokens
It's important to note that encryption keys are essential for etcd backup restoration.
βοΈ How to Enable Etcd Encryption
β Important: Do not back up etcd until the encryption process is fully completed.
Impact of Enabling Etcd Encryption:
- Increased memory consumption for some resources.
- Temporary performance impact on backups.
- Higher disk I/O usage on the node handling the backup state.
Step-by-Step Guide to Enable Etcd Encryption
1οΈβ£ Edit the APIServer Object
Run the following command:
oc edit apiserver
2οΈβ£ Define the Encryption Type (AES-GCM or AES-CBC)
Modify the configuration as follows:
spec:
encryption:
type: aesgcm # or 'aescbc'- To use AES-GCM, set
type: aesgcm. - To use AES-CBC, set
type: aescbc.
π Save and apply the changes. The encryption process may take more than 20 minutes, depending on the size of the etcd database.
β Verifying If Encryption Was Applied
To confirm that encryption has been successfully enabled, run the following commands:
π Check the OpenShift API Server Status
oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'π Check the OpenShift OAuth API Server Status
oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
If the output shows EncryptionInProgress, the process is still ongoing. Wait a few minutes and check again.
For more details, refer to the official documentation:
π Encrypting etcd in OpenShift
π‘ Who Am I?
I am Gabriel Carmo, passionate about technology (especially Open Source). I have experience in Cloud, Kubernetes, OpenShift, Zabbix, Dynatrace, and more! Always exploring new technologies and sharing knowledge. π
π¬ Letβs Connect!
π LinkedIn
π GitHub
π¦ GitLab
π
Credly
π§ Contact: contato@gabrielandre.com.br
