Skip to content

Commit 85910ff

Browse files
authored
Merge pull request #41197 from sftim/20230517_document_encryption_at_rest_reload
Split out advice about config reloads for encryption at rest
2 parents 5d2b45b + 49d0568 commit 85910ff

File tree

1 file changed

+14
-1
lines changed

1 file changed

+14
-1
lines changed

content/en/docs/tasks/administer-cluster/encrypt-data.md

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ This page shows how to enable and configure encryption of secret data at rest.
3434
The `kube-apiserver` process accepts an argument `--encryption-provider-config`
3535
that controls how API data is encrypted in etcd.
3636
The configuration is provided as an API named
37-
[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts. An example configuration is provided below.
37+
[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). An example configuration is provided below.
3838

3939
{{< caution >}}
4040
**IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the
@@ -462,6 +462,19 @@ Then run the following command to force decrypt all Secrets:
462462
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
463463
```
464464

465+
## Configure automatic reloading
466+
467+
You can configure automatic reloading of encryption provider configuration.
468+
That setting determines whether the
469+
{{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} should
470+
load the file you specify for `--encryption-provider-config` only once at
471+
startup, or automatically whenever you change that file. Enabling this option
472+
allows you to change the keys for encryption at rest without restarting the
473+
API server.
474+
475+
To allow automatic reloading, configure the API server to run with:
476+
`--encryption-provider-config-automatic-reload=true`
477+
465478
## {{% heading "whatsnext" %}}
466479

467480
* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).

0 commit comments

Comments
 (0)