How Kubernetes stores encrypted data in etcd, and why KMS v2 matters
from Palark GmbH (Ulm)
About speaker
I am a software engineer with more than ten years of experience. Since 2020, I’ve been an architect and tech lead of Deckhouse Kubernetes Platform, a certified Kubernetes distribution. Since 2021, I’ve also been a maintainer of Dex, a CNCF Sandbox project.
About speakers company
Palark is an all-in-one DevOps & SRE service provider based in Germany that helps organisations of all sizes build, deploy and operate software quickly, efficiently and securely. Our team is always on call to ensure that your production environment is running smoothly. We offer DevOps as a Service, so you can concentrate on business applications without worrying about infrastructure, operations, CI/CD and all related best practices.
Abstracts
etcd is at the heart of the data Kubernetes stores for various needs, and encrypting it is natural for those who’d like to reduce the attack surface for Kubernetes-based workloads. This talk reveals how this encryption works, and why KMS (Key Management Service) v2 is the best approach we have today.
You’ll learn how KMS v1 initially encrypted data in etcd, which shortcomings it brought, and how KMS v2—released as stable in Kubernetes v1.29—solved them. Finally, I’ll demonstrate how you can create a simple plugin leveraging data encryption with KMS v2.
The talk was accepted to the conference program
other talks of this topic
Edgar Mikayelyan
Qrator Labs
