You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/use-kms-etcd-encryption.md
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Use Key Management Service (KMS) etcd encryption in Azure Kubernetes Serv
3
3
description: Learn how to use the Key Management Service (KMS) etcd encryption with Azure Kubernetes Service (AKS)
4
4
services: container-service
5
5
ms.topic: article
6
-
ms.date: 12/17/2022
6
+
ms.date: 01/09/2023
7
7
---
8
8
9
9
# Add Key Management Service (KMS) etcd encryption to an Azure Kubernetes Service (AKS) cluster
@@ -32,6 +32,7 @@ The following limitations apply when you integrate KMS etcd encryption with AKS:
32
32
33
33
* Deletion of the key, Key Vault, or the associated identity isn't supported.
34
34
* KMS etcd encryption doesn't work with system-assigned managed identity. The key vault access policy is required to be set before the feature is enabled. In addition, system-assigned managed identity isn't available until cluster creation, thus there's a cycle dependency.
35
+
* Azure Key Vault with Firewall enabled to allow public access isn't supported because it blocks traffic from KMS plugin to the Key Vault.
35
36
* The maximum number of secrets that a cluster enabled with KMS supports is 2,000.
36
37
* Bring your own (BYO) Azure Key Vault from another tenant isn't supported.
37
38
* With KMS enabled, you can't change associated Azure Key Vault model (public, private). To [change associated key vault mode][changing-associated-key-vault-mode], you need to disable and enable KMS again.
@@ -282,6 +283,8 @@ After changing the key ID (including key name and key version), you can use [az
282
283
283
284
> [!WARNING]
284
285
> Remember to update all secrets after key rotation. Otherwise, the secrets will be inaccessible if the old keys are not existing or working.
286
+
>
287
+
> Once you rotate the key, the old key (key1) is still cached and shouldn't be deleted. If you want to delete the old key (key1) immediately, you need to rotate the key twice. Then key2 and key3 are cached, and key1 can be deleted without impacting existing cluster.
285
288
286
289
```azurecli-interactive
287
290
az aks update --name myAKSCluster --resource-group MyResourceGroup --enable-azure-keyvault-kms --azure-keyvault-kms-key-id $NewKEY_ID --azure-keyvault-kms-key-vault-network-access "Private" --azure-keyvault-kms-key-vault-resource-id $KEYVAULT_RESOURCE_ID
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments