Skip to content

Commit 6089916

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #44801 from sftim/20240118_revise_encryption_at_rest
Revise introduction to encryption at rest page
2 parents cb2f55e + dd7e396 commit 6089916

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

content/en/docs/tasks/administer-cluster/encrypt-data.md

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,12 +50,27 @@ to either:
5050

5151
<!-- steps -->
5252

53-
## Configuration and determining whether encryption at rest is already enabled
53+
## Determine whether encryption at rest is already enabled {#determining-whether-encryption-at-rest-is-already-enabled}
54+
55+
By default, the API server stores plain-text representations of resources into etcd, with
56+
no at-rest encryption.
5457

5558
The `kube-apiserver` process accepts an argument `--encryption-provider-config`
56-
that controls how API data is encrypted in etcd.
57-
The configuration is provided as an API named
58-
[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). An example configuration is provided below.
59+
that specifies a path to a configuration file. The contents of that file, if you specify one,
60+
control how Kubernetes API data is encrypted in etcd.
61+
If you are running the kube-apiserver without the `--encryption-provider-config` command line
62+
argument, you do not have encryption at rest enabled. If you are running the kube-apiserver
63+
with the `--encryption-provider-config` command line argument, and the file that it references
64+
specifies the `identity` provider as the first encryption provider in the list, then you
65+
do not have at-rest encryption enabled
66+
(**the default `identity` provider does not provide any confidentiality protection.**)
67+
68+
If you are running the kube-apiserver
69+
with the `--encryption-provider-config` command line argument, and the file that it references
70+
specifies a provider other than `identity` as the first encryption provider in the list, then
71+
you already have at-rest encryption enabled. However, that check does not tell you whether
72+
a previous migration to encrypted storage has succeeded. If you are not sure, see
73+
[ensure all relevant data are encrypted](#ensure-all-secrets-are-encrypted).
5974

6075
{{< caution >}}
6176
**IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the

0 commit comments

Comments
 (0)