etcd snapshots & encryption
Definition
etcd is a distributed key-value store used in Kubernetes to store all cluster data. Snapshots are backups of etcd data, which are crucial for disaster recovery. Encryption of etcd snapshots ensures that sensitive data, such as secrets and configuration details, are protected from unauthorized access. Encrypting etcd data at rest and in transit is a best practice to maintain the confidentiality and integrity of the data.
Secure Settings Example
# etcd configuration for enabling encryption
apiVersion: etcd.database.coreos.com/v1beta2
kind: EtcdCluster
metadata:
name: example-etcd-cluster
spec:
encryption:
enabled: true
encryptionKeys:
- name: key1
secret: <base64-encoded-key>
backup:
backupIntervalInSecond: 3600
maxBackups: 5
storageType: S3
s3:
path: "s3://my-etcd-backups"
awsSecret:
name: aws-secret
Insecure Settings Example
# etcd configuration without encryption
apiVersion: etcd.database.coreos.com/v1beta2
kind: EtcdCluster
metadata:
name: example-etcd-cluster
spec:
encryption:
enabled: false
backup:
backupIntervalInSecond: 3600
maxBackups: 5
storageType: S3
s3:
path: "s3://my-etcd-backups"