Skip to content

Commit 216e238

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #42846 from my-git9/path-28990
[zh-cn] sync administer-cluster/encrypt-data.md
2 parents 8844553 + bd36071 commit 216e238

File tree

1 file changed

+13
-6
lines changed

1 file changed

+13
-6
lines changed

content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -349,7 +349,7 @@ Kubernetes 静态数据加密的 Provider
349349
</td>
350350
</tr>
351351
<tr>
352-
<th rowspan="2" scope="row"><tt>kms</tt> v1</th>
352+
<th rowspan="2" scope="row"><tt>kms</tt> v1 <em><!--(deprecated since Kubernetes v1.28)-->(自 Kubernetes 1.28 起弃用)</em></th>
353353
<td>
354354
<!-- Uses envelope encryption scheme with DEK per resource. -->
355355
针对每个资源使用不同的 DEK 来完成信封加密。
@@ -393,15 +393,22 @@ Kubernetes 静态数据加密的 Provider
393393
Data is encrypted by data encryption keys (DEKs) using AES-GCM; DEKs
394394
are encrypted by key encryption keys (KEKs) according to configuration
395395
in Key Management Service (KMS).
396-
A new DEK is generated at API server startup, and is then reused for
397-
encryption. The DEK is rotated whenever the KEK is rotated.
396+
Kubernetes defaults to generating a new DEK at API server startup, which is then
397+
reused for object encryption.
398+
If you enable the <tt>KMSv2KDF</tt>
399+
<a href="/docs/reference/command-line-tools-reference/feature-gates/">feature gate</a>,
400+
Kubernetes instead generates a new DEK per encryption from a secret seed.
401+
Whichever approach you configure, the DEK or seed is also rotated whenever the KEK is rotated.<br/>
398402
A good choice if using a third party tool for key management.
399403
Available in beta from Kubernetes v1.27.
400404
-->
401405
通过数据加密密钥(DEK)使用 AES-GCM 加密数据;
402406
DEK 根据 Key Management Service(KMS)中的配置通过密钥加密密钥(Key Encryption Keys,KEK)加密。
403-
API 服务器启动时会生成一个新的 DEK,并重复使用它进行加密。
404-
每当轮换 KEK 时,DEK 也会轮换。
407+
Kubernetes 默认在 API 服务器启动时生成一个新的 DEK,
408+
然后重复使用该密钥进行资源加密。然而,如果你使用 KMS v2 并且启用了 `KMSv2KDF`
409+
[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/),
410+
则 Kubernetes 将转为基于秘密的种子数为每次加密生成一个新的 DEK。
411+
无论你配置哪种方法,每当 KEK 轮换时,DEK 或种子也会轮换。
405412
如果使用第三方工具进行密钥管理,会是一个不错的选择。
406413
从 `v1.27` 开始,该功能处于 Beta 阶段。
407414
<br />
@@ -481,7 +488,7 @@ Create a new encryption config file:
481488
<!--
482489
# See the following text for more details about the secret value
483490
# this fallback allows reading unencrypted secrets;
484-
# for example, during initial migratoin
491+
# for example, during initial migration
485492
-->
486493
```yaml
487494
---

0 commit comments

Comments
 (0)