Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. External encryption key management

You can configure Kubernetes Key Management Service (KMS) v2 on OpenShift Container Platform to centralize encryption key management and meet regulatory compliance requirements.

Important

Kubernetes KMS v2 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

6.1.1. About Kubernetes KMS v2 encryption
Copia collegamento

Kubernetes KMS v2 uses external Key Management Services to encrypt etcd data and centralize key management.

Kubernetes KMS v2 provides:

  • Customer-managed encryption keys that never leave the external KMS
  • Centralized key management and auditing
  • Regulatory compliance support

6.1.1.1. Encrypted resources
Copia collegamento

When you enable KMS encryption, OpenShift Container Platform encrypts the following sensitive resources in etcd:

  • Secrets
  • ConfigMaps
  • Routes
  • OAuth access tokens
  • OAuth authorize tokens
Note

Resource types, namespaces, and object names are not encrypted.

6.1.2. KMS Technology Preview limitations
Copia collegamento

Review the current limitations of Kubernetes KMS v2 to plan deployments and avoid unsupported configurations in OpenShift Container Platform 4.21 or later.

6.1.2.1. Current limitations
Copia collegamento

  • Plugins require manual installation on each control plane node
  • Plugins must listen at unix:///var/run/kmsplugin/kms.sock
  • Only one KMS plugin can run at a time
  • KMS-to-KMS migration requires intermediate migration to identity or aescbc

6.2. Configuring Kubernetes KMS v2
Copia collegamento

You can configure external KMS encryption for etcd to centralize key management and meet regulatory compliance requirements.

Important

Kubernetes KMS v2 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

6.2.1. Enable KMS encryption
Copia collegamento

You can enable external Key Management Service (KMS) encryption for etcd data to centralize key management and meet compliance requirements.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have enabled the TechPreviewNoUpgrade feature set to enable the KMSEncryption feature gate.
  • You have a HashiCorp Vault Enterprise instance accessible from your control plane nodes. Vault Community Edition is not available.
  • Your control plane nodes have network access to the Vault server.

  • You have configured your Vault instance with:

    • Transit secrets engine enabled at the default transit/ mount path
    • Encryption key created with type aes256-gcm96 (recommended for FIPS 140-3 compliance)
    • Vault policy allowing the Kubernetes KMS v2 plugin to encrypt, decrypt, and read key information
    • Authentication method (token, AppRole, or userpass) configured with the policy attached

The Kubernetes KMS v2 plugin requires a Vault policy with the following capabilities: 

path "transit/encrypt/kms-key" {
  capabilities = ["update"]
}

path "transit/decrypt/kms-key" {
  capabilities = ["update"]
}

path "transit/keys/kms-key" {
  capabilities = ["read"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

Replace kms-key with your Vault Transit key name if using a different name.

Important

Create an etcd backup before enabling KMS encryption.

Procedure

  1. Deploy the KMS plugin on each control plane host as a static pod:

    • Configure the plugin to listen at unix:///var/run/kmsplugin/kms.sock
    • For your static pod, mount /var/run/kmsplugin as hostPath
    • Configure KMS provider connection details and authentication credentials

    The following steps show how to deploy the HashiCorp Vault KMS plugin as a static pod.

  2. Create a static pod manifest file: 

    $ cat > /tmp/vault-kms-plugin.yaml <<'EOF'
apiVersion: v1
kind: Pod
metadata:
  name: vault-kms-plugin
  namespace: kube-system
  labels:
    app: vault-kms-plugin
    tier: control-plane
spec:
  priorityClassName: system-node-critical
  hostNetwork: true
  containers:
  - name: vault-kms-plugin
    image: quay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9:<version>
    command:
    - /vault-kubernetes-kms
    - -vault-address=<https://vault.example.com:8200>
    - -<vault_namespace>=admin
    - -auth-method=userpass
    - -userpass-username=<vault_username>
    - -userpass-password=<vault_password>
    - -transit-mount=transit
    - -transit-key=kms-key
    - -socket=unix:///var/run/kmsplugin/kms.sock
    volumeMounts:
    - name: kmsplugin
      mountPath: /var/run/kmsplugin
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 500m
        memory: 512Mi
    securityContext:
      privileged: true
  volumes:
  - name: kmsplugin
    hostPath:
      path: /var/run/kmsplugin
      type: DirectoryOrCreate
EOF

    Replace the following values to match your environment:

    <version>
    The Vault KMS plugin image version tag. Use 0.1.0-beta-ubi.
    <vault_username>
    Your Vault username for authentication.
    <vault_password>
    Your Vault password for authentication.
    https://vault.example.com:8200
    The Vault address. Update this field to match your Vault server URL.
    <vault_namespace>

    Optional field.

    The manifest uses the Red Hat certified container image from Quay.io (quay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9), which is the recommended image for OpenShift Container Platform.

    Note

    Alternatively, you can use the HashiCorp image from Docker Hub by replacing the image field with docker.io/hashicorp/vault-kube-kms:0.1.0-beta-ubi.

  3. Deploy the static pod manifest to each control plane node by running the following commands: 

    $ MANIFEST=$(cat /tmp/vault-kms-plugin.yaml | base64)
$ for node in $(oc get nodes --selector=node-role.kubernetes.io/master -o name | cut -d/ -f2); do
    echo "Deploying to $node..."
    oc debug node/$node -- chroot /host bash -c \
      "echo '$MANIFEST' | base64 -d > /etc/kubernetes/manifests/vault-kms-plugin.yaml"
  done

    The kubelet automatically detects and starts static pods from /etc/kubernetes/manifests/.

  4. Verify the static pods are running by entering the following command: 

    $ oc get pods -n kube-system -o wide | grep vault-kms

    Example output

    vault-kms-plugin-ip-10-0-16-7.compute.internal    1/1  Running  0  2m  10.0.16.7
vault-kms-plugin-ip-10-0-32-93.compute.internal   1/1  Running  0  2m  10.0.32.93
vault-kms-plugin-ip-10-0-69-106.compute.internal  1/1  Running  0  2m  10.0.69.106

    Static pod names include the node name as a suffix. You should see one pod per control plane node.

  5. Verify the socket exists on a control plane node by entering the following command: 

    $ oc debug node/<node_name> -- chroot /host ls -la /var/run/kmsplugin/kms.sock

    Example output

    srwxr-xr-x. 1 root root 0 <timestamp> /var/run/kmsplugin/kms.sock

    Note

    Static pods are managed by kubelet on each node and cannot be deleted with oc delete pod. To remove a static pod, delete the manifest file from /etc/kubernetes/manifests/ on each control plane node.

  6. Edit the APIServer custom resource by entering the following command: 

    $ oc edit apiserver cluster

  7. Add the KMS configuration to the spec.encryption section: 

    apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  encryption:
    type: KMS

  8. Save and exit.

    Migration begins automatically. The kube-apiserver, openshift-apiserver and oauth-apiserver Operators will restart and roll out new revisions.

    Note

    The openshift-apiserver and authentication operators typically complete migration in 5-10 minutes. The kube-apiserver operator uses a conservative rollout strategy, updating one control plane node at a time and waiting for health checks before proceeding to the next node. This process can take 30 minutes or longer depending on cluster load.

Verification

  1. Verify the encryption type by entering the following command: 

    $ oc get apiserver cluster -o jsonpath='{.spec.encryption.type}'

    Output should show KMS.

  2. Monitor the kube-apiserver rollout progress by entering the following command: 

    $ oc get kubeapiserver cluster -o jsonpath='{.status.nodeStatuses}' | jq -r '.[] | "\(.nodeName | split(".")[0]): current=\(.currentRevision) target=\(.targetRevision)"'

    Example output during rollout

    ip-10-0-16-166: current=10 target=0
ip-10-0-32-93: current=9 target=10
ip-10-0-69-106: current=9 target=0

    The operator rolls out one node at a time. When all nodes show the same current revision and target is 0, the rollout is complete.

  3. Check the encryption migration status by entering the following command: 

    $ oc get kubeapiserver cluster -o jsonpath='{.status.conditions[?(@.type=="Encrypted")]}' | jq .

    Example output when complete

    {
  "lastTransitionTime": "2026-05-15T17:39:02Z",
  "message": "All resources encrypted: secrets, configmaps",
  "reason": "EncryptionCompleted",
  "status": "True",
  "type": "Encrypted"
}

    Wait for reason to show EncryptionCompleted before proceeding to verify encryption in etcd.

  4. Verify secrets are encrypted in etcd:

    Warning

    Wait for the kube-apiserver rollout to complete on all control plane nodes before verifying encryption. During the rollout, API requests are distributed across nodes, and secrets created while some nodes are still on an earlier revision will not be encrypted with Kubernetes KMS v2.

    1. Create a test secret by entering the following command: 

      $ oc create secret generic test-secret --from-literal=key=value -n default

    2. Get an etcd pod name by entering the following command: 

      $ oc get pods -n openshift-etcd -l app=etcd -o name | head -1

    3. Check the secret data in etcd by entering the following command: 

      $ oc exec -n openshift-etcd <etcd_pod_name> -- etcdctl get /kubernetes.io/secrets/default/test-secret --print-value-only | hexdump -C | head -1

      Output should begin with k8s:enc:kms:v2: followed by encrypted binary data.

    4. Delete the test secret by entering the following command: 

      $ oc delete secret test-secret -n default

6.2.2. Rotate the Vault encryption key
Copia collegamento

You can rotate your Vault Transit encryption key to generate a new key version while maintaining access to data encrypted with earlier versions.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have access to your Vault instance with permissions to rotate keys.
  • Kubernetes KMS v2 encryption is enabled and functioning.

Procedure

  1. Rotate the Vault encryption key by entering the following command: 

    $ vault write -f transit/keys/kms-key/rotate

    Vault creates a new key version while maintaining earlier versions for decryption. The API server automatically uses the correct key version for each secret.

  2. Verify the new key version by entering the following command: 

    $ vault read transit/keys/kms-key

    The latest_version field shows the current key version number.

Verification

  • Verify that existing secrets remain accessible by entering the following command: 

    $ oc get secret -A

All secrets should be readable without errors.

Note

Existing encrypted secrets do not need re-encryption. Vault maintains all key versions and automatically uses the appropriate version for decryption.

6.2.3. Migrate from local encryption to KMS encryption
Copia collegamento

You can migrate from local etcd encryption to external KMS encryption to centralize key management and improve compliance.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have enabled the TechPreviewNoUpgrade feature set to enable the KMSEncryption feature gate.
  • Your cluster is currently using aescbc or aesgcm encryption.
  • You have deployed the KMS plugin on all control plane nodes.
  • Control plane nodes have network access to the KMS provider.
Important

Create an etcd backup before migrating.

Procedure

  1. Back up the current etcd encryption configuration by entering the following command: 

    $ oc get apiserver cluster -o yaml > apiserver-backup.yaml

  2. Edit the APIServer custom resource by entering the following command: 

    $ oc edit apiserver cluster

  3. Change the encryption type from aescbc or aesgcm to KMS: 

    apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  encryption:
    type: KMS

  4. Save and exit.

    Migration starts automatically and typically takes several minutes.

  5. Verify migration completion for all API servers by running the following commands: 

    $ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{end}'
     
    $ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{end}'
     
    $ oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{end}'

    All outputs should show EncryptionCompleted.

6.2.4. Monitor KMS encryption status
Copia collegamento

You can monitor KMS encryption status by using Operator and API server logs to verify successful configuration and detect issues.

Procedure

  1. Check the kube-apiserver operator logs for KMS-related events by entering the following command: 

    $ oc logs -n openshift-kube-apiserver-operator deploy/kube-apiserver-operator | grep -i kms

  2. View API server logs for KMS-related events by entering the following command: 

    $ oc logs -n openshift-kube-apiserver -l apiserver=true --tail=100 | grep -i kms

  3. Verify the KMS encryption configuration by entering the following command: 

    $ oc get apiserver cluster -o jsonpath='{.spec.encryption}' | jq

6.2.5. KMS encryption troubleshooting
Copia collegamento

You can diagnose and resolve common KMS encryption issues to maintain secure key management and cluster availability.

6.2.5.1. Invalid KMS configuration
Copia collegamento

Symptom: APIServer resource shows validation errors during KMS encryption configuration.

Diagnosis: Check kube-apiserver Operator logs: 

$ oc logs -n openshift-kube-apiserver-operator deploy/kube-apiserver-operator | grep -i "kms\|validation\|error"

Solutions:

  • Verify plugin configuration follows provider requirements
  • Ensure all required fields are specified

  • Verify plugin is running on all control plane nodes: 

    $ oc debug node/<node_name> -- chroot /host ls -la /var/run/kmsplugin/kms.sock

6.2.5.2. KMS permissions errors
Copia collegamento

Symptom: Encryption migration fails with permission errors.

Diagnosis: Check Operator and plugin logs: 

$ oc logs -n openshift-kube-apiserver-operator deploy/kube-apiserver-operator | grep -i "kms\|permission\|access denied"
 
$ oc debug node/<node_name> -- chroot /host journalctl -u kms-plugin

Solutions:

  • Verify plugin has valid authentication credentials
  • Check if credentials have expired
  • Ensure plugin principal has encrypt and decrypt permissions
  • Verify KMS provider key policy allows plugin access
  • Confirm encryption key is enabled and not scheduled for deletion

6.2.5.3. Expired or deleted KMS key
Copia collegamento

Symptom: API server cannot decrypt secrets when accessing encrypted resources.

Diagnosis: Check logs and verify key status: 

$ oc logs -n openshift-kube-apiserver -l apiserver=true | grep -i "decrypt\|kms.*error"
 
$ oc debug node/<node_name> -- chroot /host journalctl -u kms-plugin | grep -i "key\|error"

Solutions:

  • Re-enable the encryption key if disabled
  • Restore from backup if key was permanently deleted
  • Cancel key deletion if scheduled
  • Ensure KMS provider maintains access to previous key versions
Warning

Deleted KMS keys prevent data recovery. Align key retention with backup policies.

6.2.5.4. API server degraded or unavailable
Copia collegamento

Symptom: API server becomes degraded or unresponsive after enabling KMS encryption.

Diagnosis: Check Operator status and logs: 

$ oc get clusteroperator kube-apiserver
 
$ oc logs -n openshift-kube-apiserver -l apiserver=true --tail=200 | grep -i kms

Solutions:

  • Check network connectivity between control plane and KMS provider
  • Verify network policies, firewalls, and routes allow communication
  • Monitor KMS provider rate limits and request increases if needed
  • Verify DNS resolution and TLS certificate validation

  • Confirm plugin is running on all control plane nodes: 

    $ oc debug node/<node_name> -- chroot /host systemctl status kms-plugin

6.2.5.5. Encryption migration stuck or slow
Copia collegamento

Symptom: KMS encryption migration takes unusually long or becomes stuck.

Diagnosis: Check Operator status and migration logs: 

$ oc get clusteroperator kube-apiserver
 
$ oc logs -n openshift-kube-apiserver-operator deploy/kube-apiserver-operator | grep -i migration

Solutions:

  • Migration time depends on data size; monitor progress
  • Monitor KMS provider audit logs for rate limiting or throttling events
  • Check network performance between control plane and KMS provider

6.2.5.6. Collecting debug information
Copia collegamento

Collect cluster logs: 

$ oc adm must-gather
 
$ oc get apiserver cluster -o yaml > apiserver.yaml
 
$ oc logs -n openshift-kube-apiserver-operator deploy/kube-apiserver-operator > kube-apiserver-operator.log
 
$ oc logs -n openshift-kube-apiserver -l apiserver=true --tail=500 > kube-apiserver.log

Collect KMS provider information:

  • KMS plugin logs from control plane nodes
  • KMS provider audit logs
  • KMS provider key policy and permissions
  • Authentication credentials status
  • Network connectivity test results
Note

Redact credentials, tokens, and sensitive data before sharing logs.

6.3. Disabling Kubernetes KMS v2
Copia collegamento

You can disable KMS encryption and migrate to local etcd encryption to simplify operations or resolve external KMS connectivity issues.

Important

Kubernetes KMS v2 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

6.3.1. Disable KMS encryption
Copia collegamento

You can disable external KMS encryption and migrate to local encryption to simplify operations or resolve KMS connectivity issues.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have created an etcd backup.
Warning

Re-encryption of all etcd data will occur.

Procedure

  1. Edit the APIServer custom resource by entering the following command: 

    $ oc edit apiserver cluster

  2. Change the encryption configuration: 

    apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  encryption:
    type: <encryption>

    Replace <encryption> with aescbc, aesgcm, or identity.

  3. Save and exit.

    OpenShift Container Platform automatically migrates etcd data. Migration time depends on etcd size and secret count.

  4. Monitor the migration progress by entering the following command: 

    $ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}{end}'

    Wait until the output shows EncryptionCompleted.

  5. Verify kube-apiserver pods rolled out by entering the following command: 

    $ oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver

  6. Remove the static pod manifest from each control plane node by running the following command: 

    $ for node in $(oc get nodes --selector=node-role.kubernetes.io/master -o name | cut -d/ -f2); do
    echo "Removing static pod from $node..."
    oc debug node/$node -- chroot /host \
      rm -f /etc/kubernetes/manifests/vault-kms-plugin.yaml
  done

    The kubelet automatically stops static pods when their manifest is removed from /etc/kubernetes/manifests/.

  7. Clean up the socket directory by running the following command: 

    $ for node in $(oc get nodes --selector=node-role.kubernetes.io/master -o name | cut -d/ -f2); do
    oc debug node/$node -- chroot /host rm -rf /var/run/kmsplugin
  done
  8. After backup retention period passes, decommission the KMS key.

Verification

  1. Verify the encryption type by entering the following command: 

    $ oc get apiserver cluster -o jsonpath='{.spec.encryption.type}'

  2. Verify that a test secret uses the new encryption type:

    1. Create a test secret by entering the following command: 

      $ oc create secret generic encryption-test --from-literal=key=value -n default

    2. Get an etcd pod name by entering the following command: 

      $ oc get pods -n openshift-etcd -l app=etcd -o name | head -1

    3. Check the encryption prefix by entering the following command: 

      $ oc exec -n openshift-etcd <etcd_pod_name> -- etcdctl get /kubernetes.io/secrets/default/encryption-test --print-value-only | hexdump -C | head -1

      Output should begin with k8s:enc:aescbc:v1:, k8s:enc:aesgcm:v1:, or show readable JSON for identity.

    4. Delete the test secret by entering the following command: 

      $ oc delete secret encryption-test -n default
Note

Do not delete the KMS key until migration completes successfully.

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Legal Notice

Theme

© 2026 Red HatTorna in cima