mirror of https://github.com/kubernetes/kops.git
66 lines
1.3 KiB
Markdown
66 lines
1.3 KiB
Markdown
# Etcd Volume Encryption
|
|
|
|
You must configure etcd volume encryption before bringing up your cluster. You cannot add etcd volume encryption to an already running cluster.
|
|
|
|
## Encrypting Etcd Volumes Using the Default AWS KMS Key
|
|
|
|
Edit your cluster to add `encryptedVolume: true` to each etcd volume:
|
|
|
|
`kops edit cluster ${CLUSTER_NAME}`
|
|
|
|
```
|
|
...
|
|
etcdClusters:
|
|
- etcdMembers:
|
|
- instanceGroup: master-us-east-1a
|
|
name: a
|
|
encryptedVolume: true
|
|
name: main
|
|
- etcdMembers:
|
|
- instanceGroup: master-us-east-1a
|
|
name: a
|
|
encryptedVolume: true
|
|
name: events
|
|
...
|
|
```
|
|
|
|
Update your cluster:
|
|
|
|
```
|
|
kops update cluster ${CLUSTER_NAME}
|
|
# Review changes before applying
|
|
kops update cluster ${CLUSTER_NAME} --yes
|
|
```
|
|
|
|
## Encrypting Etcd Volumes Using a Custom AWS KMS Key
|
|
|
|
Edit your cluster to add `encryptedVolume: true` to each etcd volume:
|
|
|
|
`kops edit cluster ${CLUSTER_NAME}`
|
|
|
|
```
|
|
...
|
|
etcdClusters:
|
|
- etcdMembers:
|
|
- instanceGroup: master-us-east-1a
|
|
name: a
|
|
encryptedVolume: true
|
|
kmsKeyId: <full-arn-of-your-kms-key>
|
|
name: main
|
|
- etcdMembers:
|
|
- instanceGroup: master-us-east-1a
|
|
name: a
|
|
encryptedVolume: true
|
|
kmsKeyId: <full-arn-of-your-kms-key>
|
|
name: events
|
|
...
|
|
```
|
|
|
|
Update your cluster:
|
|
|
|
```
|
|
kops update cluster ${CLUSTER_NAME}
|
|
# Review changes before applying
|
|
kops update cluster ${CLUSTER_NAME} --yes
|
|
```
|