You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/use-kms-etcd-encryption.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Use Key Management Service (KMS) etcd encryption in Azure Kubernetes Serv
3
3
description: Learn how to use the Key Management Service (KMS) etcd encryption with Azure Kubernetes Service (AKS)
4
4
services: container-service
5
5
ms.topic: article
6
-
ms.date: 11/09/2022
6
+
ms.date: 12/17/2022
7
7
---
8
8
9
9
# Add Key Management Service (KMS) etcd encryption to an Azure Kubernetes Service (AKS) cluster
@@ -30,11 +30,11 @@ For more information on using the KMS plugin, see [Encrypting Secret Data at Res
30
30
31
31
The following limitations apply when you integrate KMS etcd encryption with AKS:
32
32
33
-
* Deletion of the key, Key Vault, or the associated identity.
33
+
* Deletion of the key, Key Vault, or the associated identity is not allowed.
34
34
* KMS etcd encryption doesn't work with system-assigned managed identity. The key vault access policy is required to be set before the feature is enabled. In addition, system-assigned managed identity isn't available until cluster creation, thus there's a cycle dependency.
35
-
*Using more than 2000 secrets in a cluster.
36
-
* Bring your own (BYO) Azure Key Vault from another tenant.
37
-
*Change associated Azure Key Vault model (public, private) if KMS is enabled. For [changing associated key vault mode][changing-associated-key-vault-mode], you need to disable and enable KMS again.
35
+
*There is a hard limit that you cannot use more than 2000 secrets in a cluster enabled with KMS.
36
+
* Bring your own (BYO) Azure Key Vault from another tenant is not supported.
37
+
*With KMS enabled, you cannot change associated Azure Key Vault model (public, private). For [changing associated key vault mode][changing-associated-key-vault-mode], you need to disable and enable KMS again.
38
38
* If a cluster is enabled KMS with private key vault and not using `VNet integration` tunnel, then stop/start cluster is not allowed.
39
39
40
40
KMS supports [public key vault][Enable-KMS-with-public-key-vault] and [private key vault][Enable-KMS-with-private-key-vault].
0 commit comments