At Google Cloud, they care deeply about protecting your data. That’s why Google encrypts data at rest by default, including data in Google Kubernetes Engine (GKE). Guide focusing on containers security directly from Google.
In a default Kubernetes installation, Kubernetes secrets are stored in etcd in plaintext. In GKE, this is managed for you: GKE encrypts these secrets on disk, and monitors this data for insider access. But this might not be enough to protect those secrets from a potentially malicious insider, or a malicious application in your environment.
The article then describes how Using Cloud KMS can protect secrets in Kubernetes. Their approach provides flexibility in your security model, to meet specific requirements you may have:
- Root of trust
- Key rotation
- Separation of duties
- Centralized auditing
- Example to get you started
Now encrypt those secrets! Very useful.
[Read More]