Skip to content

vault-kms-plugin

A Kubernetes KMS Plugin that uses HashiCorp Vaults Transit Engine for securely encrypting Secrets, Config Maps and other Kubernetes Objects in etcd at rest (on disk).

E2E drawing drawing drawing

Why

HashiCorp Vault already offers useful Kubernetes integrations, such as the Vault Secrets Operator for populating Kubernetes secrets from Vault Secrets or the Vault Agent Injector for injecting Vault secrets into a Pod using a sidecar container approach.

Wouldn't it be nice if you could also use your Vault server to encrypt Kubernetes secrets before they are written into etcd? The vault-kubernetes-kms plugin does exactly this!

Since the key used for encrypting secrets is not stored in Kubernetes, an attacker who intends to get unauthorized access to the plaintext values would need to compromise etcd and the Vault server.

How does it work?

img

vault-kubernetes-kms is supposed to run as a static pod on every control plane node or on that node where the kube-apiserver will run.

The plugin creates a Unix-Socket and receive encryption requests through that socket from the kube-apiserver. The plugin will then use the specified Vault transit encryption key to encrypt the data and send it back to the kube-apiserver, who will then store the encrypted response in etcd.

To do so, you will have to enable Data at Rest encryption, by configuring the kube-apiserver to use a EncryptionConfiguration (See https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/ for more details).

⚠ As a result of that, the kube-apiserver requires the vault-kubernetes-kms plugin to be up & running before the kube-apiserver starts. To ensure this, setting a priority class in the plugins manifest ("priorityClassName: system-node-critical") is recommended. ⚠

⚠ vault-kubernetes-kms is in early stage! Running it in Production is not yet recommended. Im looking for early adopters in order to gather important feedback. ⚠

Features