kube-apiserver Encryption Configuration (v1)
Package v1 is the v1 version of the API.
Resource Types
EncryptionConfiguration
EncryptionConfiguration stores the complete configuration for encryption providers.
Field | Description |
---|---|
apiVersion string | apiserver.config.k8s.io/v1 |
kind string | EncryptionConfiguration |
resources [Required][]ResourceConfiguration | resources is a list containing resources, and their corresponding encryption providers. |
AESConfiguration
Appears in:
AESConfiguration contains the API configuration for an AES transformer.
Field | Description |
---|---|
keys [Required][]Key | keys is a list of keys to be used for creating the AES transformer. Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM. |
IdentityConfiguration
Appears in:
IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.
KMSConfiguration
Appears in:
KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.
Field | Description |
---|---|
name [Required]string | name is the name of the KMS plugin to be used. |
cachesize int32 | cachesize is the maximum number of secrets which are cached in memory. The default value is 1000. Set to a negative value to disable caching. |
endpoint [Required]string | endpoint is the gRPC server listening address, for example “unix:///var/run/kms-provider.sock”. |
timeout meta/v1.Duration | timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds. |
Key
Appears in:
Key contains name and secret of the provided key for a transformer.
Field | Description |
---|---|
name [Required]string | name is the name of the key to be used while storing data to disk. |
secret [Required]string | secret is the actual key, encoded in base64. |
ProviderConfiguration
Appears in:
ProviderConfiguration stores the provided configuration for an encryption provider.
Field | Description |
---|---|
aesgcm [Required]AESConfiguration | aesgcm is the configuration for the AES-GCM transformer. |
aescbc [Required]AESConfiguration | aescbc is the configuration for the AES-CBC transformer. |
secretbox [Required]SecretboxConfiguration | secretbox is the configuration for the Secretbox based transformer. |
identity [Required]IdentityConfiguration | identity is the (empty) configuration for the identity transformer. |
kms [Required]KMSConfiguration | kms contains the name, cache size and path to configuration file for a KMS based envelope transformer. |
ResourceConfiguration
Appears in:
ResourceConfiguration stores per resource configuration.
Field | Description |
---|---|
resources [Required][]string | resources is a list of kubernetes resources which have to be encrypted. |
providers [Required][]ProviderConfiguration | providers is a list of transformers to be used for reading and writing the resources to disk. eg: aesgcm, aescbc, secretbox, identity. |
SecretboxConfiguration
Appears in:
SecretboxConfiguration contains the API configuration for an Secretbox transformer.
Field | Description |
---|---|
keys [Required][]Key | keys is a list of keys to be used for creating the Secretbox transformer. Each key has to be 32 bytes long. |