#etcd Encryption

This guide helps you install, understand, and operate the etcd Encryption Manager in to automate etcd data encryption key rotation within your clusters.

It ensures that sensitive data stored in etcd, such as secrets and configmaps, is encrypted using a secure algorithm, enhancing your cluster's security.

#Installation

See Cluster Plugin for installation instructions.

Note:

• Currently supported:

  • On-Premises clusters
  • DCS clusters

• Not supported:

  • global cluster

#How it Works

Upon installation, an etcd-encryption-manager controller is deployed in the kube-system namespace, which:

• Periodically rotates etcd data encryption keys.
• Retains the 8 most recent keys for rollback compatibility.
• Updates encryption configurations on all control nodes.
• Triggers kube-apiserver to hot reload new keys.
• Automatically migrates resources to re-encrypt data with new keys.

Cluster stability is maintained throughout these operations.

#Default Configuration

#Operations Guide

#Configuration Files

#Checking Status

Run the following command to check the current rotation status:

kubectl get EtcdEncryptionConfig default -o yaml

Example output:

apiVersion: cluster.alauda.io/v1alpha1
kind: EtcdEncryptionConfig
metadata:
  name: default
spec:
  resources:
    - secrets
    - configmaps
  rotationInterval: 168h0m0s
  type: aesgcm
status:
  deployStatus:
    192.168.100.1:
      revision: 3
      state: Success
    192.168.100.2:
      revision: 3
      state: Success
    192.168.100.3:
      revision: 3
      state: Success
  migration:
    completeTimestamp: "2025-05-27T05:47:01Z"
    resources:
      - secrets
      - configmaps
    revision: 3
    state: Success
  revision: 3