etcd backups & encryption at rest
Definition
etcd is a distributed key-value store used to hold and manage critical data for Kubernetes clusters. Ensuring the security of etcd involves regular backups and encryption at rest. Backups are crucial for disaster recovery, while encryption at rest protects sensitive data from unauthorized access by encrypting the data stored on disk.
Secure Settings Example
# Example of etcd encryption configuration in a Kubernetes cluster
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-secret>
- identity: {}
Insecure Settings Example
# Example of an insecure etcd configuration with no encryption at rest
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- identity: {}