From df2b2668a9fa9a5235789f796d5365e77084157e Mon Sep 17 00:00:00 2001
From: Alberto <93380371+alcampag@users.noreply.github.com>
Date: Fri, 28 Mar 2025 14:53:03 +0100
Subject: [PATCH] Update policies.md

Added policy to use a custom key to encrypt etcd
---
 .../devops-and-containers/oke/oke-policies/policies.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app-dev/devops-and-containers/oke/oke-policies/policies.md b/app-dev/devops-and-containers/oke/oke-policies/policies.md
index acb3200e6..961c27d32 100644
--- a/app-dev/devops-and-containers/oke/oke-policies/policies.md
+++ b/app-dev/devops-and-containers/oke/oke-policies/policies.md
@@ -28,6 +28,16 @@ UNCLEAR: Maybe this policy is necessary for every IPv6 cluster
 Allow any-user to use ipv6s in compartment <compartment-ocid-of-network-resources> where all { request.principal.id = '<cluster-ocid>' }
 ```
 
+
+### ENCRYPT ETCD WITH A KEY
+
+To encrypt etcd secrets at rest using a custom key, this needs to be specified at cluster creation and the following policy must be in place:
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengencryptingdata.htm#console](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengencryptingdata.htm#console)  
+
+```
+Allow any-user to use keys in compartment <compartment-name> where ALL {request.principal.type = 'cluster', target.key.id = '<key-ocid>'}
+```
   
 
 ### ENCRYPT BOOT VOLUME WITH KEY