You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/use-kms-etcd-encryption.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to use Key Management Service (KMS) etcd encryption with
4
4
ms.topic: article
5
5
ms.subservice: aks-security
6
6
ms.custom: devx-track-azurecli
7
-
ms.date: 05/13/2024
7
+
ms.date: 05/24/2024
8
8
---
9
9
10
10
# Add Key Management Service etcd encryption to an Azure Kubernetes Service cluster
@@ -24,8 +24,10 @@ For more information on using KMS, see [Using a KMS provider for data encryption
24
24
* Azure CLI version 2.39.0 or later. Run `az --version` to find your version. If you need to install or upgrade, see [Install the Azure CLI][azure-cli-install].
25
25
26
26
> [!WARNING]
27
-
> KMS supports Konnectivity or [API Server VNet Integration (preview)][api-server-vnet-integration].
27
+
> KMS supports Konnectivity or [API Server VNet Integration (preview)][api-server-vnet-integration] for public key vault.
28
28
>
29
+
> KMS only supports [API Server VNet Integration (preview)][api-server-vnet-integration] for private key vault.
30
+
>
29
31
> You can use `kubectl get po -n kube-system` to verify the results and show that a konnectivity-agent pod is running. If a pod is running, the AKS cluster is using Konnectivity. When you use API Server VNet Integration, you can run the `az aks show -g -n` command to verify that the `enableVnetIntegration` setting is set to `true`.
30
32
31
33
## Limitations
@@ -38,7 +40,7 @@ The following limitations apply when you integrate KMS etcd encryption with AKS:
38
40
* The maximum number of secrets that are supported by a cluster that has KMS turned on is 2,000. However, it's important to note that [KMS v2][kms-v2-support] isn't limited by this restriction and can handle a higher number of secrets.
39
41
* Bring your own (BYO) Azure key vault from another tenant isn't supported.
40
42
* With KMS turned on, you can't change the associated key vault mode (public versus private). To [update a key vault mode][update-a-key-vault-mode], you must first turn off KMS, and then turn it on again.
41
-
* If a cluster has KMS turned on, has a private key vault, and isn't using the API Server VNet integration tunnel, you can't stop and then start the cluster.
43
+
* If a cluster has KMS turned on and has a private key vault, it must use the [API Server VNet Integration (preview)][api-server-vnet-integration] tunnel. Konnectivity isn't supported.
42
44
* Using the Virtual Machine Scale Sets API to scale the nodes in the cluster down to zero deallocates the nodes. The cluster then goes down and becomes unrecoverable.
43
45
* After you turn off KMS, you can't destroy the keys. Destroying the keys causes the API server to stop working.
If you turn on KMS for a private key vault, AKS automatically creates a private endpoint and a private link in the node resource group. The key vault is added a private endpoint connection with the AKS cluster.
200
202
203
+
> [!WARNING]
204
+
> KMS only supports [API Server VNet Integration (preview)][api-server-vnet-integration] for private key vault.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments