Skip to content

Commit 46fb5e8

Browse files
CocoWang-wqlCocoWang-wql
authored
Update use-kms-etcd-encryption.md
1 parent 4d03b56 commit 46fb5e8

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

articles/aks/use-kms-etcd-encryption.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn how to use Key Management Service (KMS) etcd encryption with
44
ms.topic: article
55
ms.subservice: aks-security
66
ms.custom: devx-track-azurecli
7-
ms.date: 05/24/2024
7+
ms.date: 06/19/2024
88
---
99

1010
# Add Key Management Service etcd encryption to an Azure Kubernetes Service cluster
@@ -36,7 +36,7 @@ The following limitations apply when you integrate KMS etcd encryption with AKS:
3636

3737
* Deleting the key, the key vault, or the associated identity isn't supported.
3838
* KMS etcd encryption doesn't work with system-assigned managed identity. The key vault access policy must be set before the feature is turned on. System-assigned managed identity isn't available until after the cluster is created. Consider the cycle dependency.
39-
* Azure Key Vault with a firewall to allow public access isn't supported because it blocks traffic from the KMS plugin to the key vault.
39+
* Azure Key Vault with a firewall setting "allow public access from specific virtual networks and IP addresses" or "disable public access" isn't supported because it blocks traffic from the KMS plugin to the key vault.
4040
* The maximum number of secrets that are supported by a cluster that has KMS turned on is 2,000. However, it's important to note that [KMS v2][kms-v2-support] isn't limited by this restriction and can handle a higher number of secrets.
4141
* Bring your own (BYO) Azure key vault from another tenant isn't supported.
4242
* With KMS turned on, you can't change the associated key vault mode (public versus private). To [update a key vault mode][update-a-key-vault-mode], you must first turn off KMS, and then turn it on again.
@@ -445,6 +445,7 @@ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
445445
[az-aks-create]: /cli/azure/aks#az-aks-create
446446
[az-aks-update]: /cli/azure/aks#az_aks_update
447447
[turn-on-kms-for-a-public-key-vault]: #turn-on-kms-for-a-public-key-vault
448+
[azure-keyvault-firewall]:../key-vault/general/how-to-azure-key-vault-network-security.md
448449
[turn-on-kms-for-a-private-key-vault]: #turn-on-kms-for-a-private-key-vault
449450
[update-a-key-vault-mode]: #update-a-key-vault-mode
450451
[api-server-vnet-integration]: api-server-vnet-integration.md

0 commit comments

Comments
 (0)