website/content/en/docs/reference/config-api/apiserver-encryption.v1.md

title	content_type	package	auto_generated
kube-apiserver Encryption Configuration (v1)	tool-reference	apiserver.config.k8s.io/v1	true

Package v1 is the v1 version of the API.

Resource Types

• EncryptionConfiguration

EncryptionConfiguration

EncryptionConfiguration stores the complete configuration for encryption providers.

Field	Description
apiVersion string	apiserver.config.k8s.io/v1
kind string	EncryptionConfiguration
resources [Required] []ResourceConfiguration	resources is a list containing resources, and their corresponding encryption providers.

AESConfiguration

Appears in:

• ProviderConfiguration

AESConfiguration contains the API configuration for an AES transformer.

Field	Description
keys [Required] []Key	keys is a list of keys to be used for creating the AES transformer. Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.

IdentityConfiguration

Appears in:

• ProviderConfiguration

IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.

KMSConfiguration

Appears in:

• ProviderConfiguration

KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.

Field	Description
name [Required] string	name is the name of the KMS plugin to be used.
cachesize int32	cachesize is the maximum number of secrets which are cached in memory. The default value is 1000. Set to a negative value to disable caching.
endpoint [Required] string	endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
timeout meta/v1.Duration	timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.

Key

Appears in:

• AESConfiguration

• SecretboxConfiguration

Key contains name and secret of the provided key for a transformer.

Field	Description
name [Required] string	name is the name of the key to be used while storing data to disk.
secret [Required] string	secret is the actual key, encoded in base64.

ProviderConfiguration

Appears in:

• ResourceConfiguration

ProviderConfiguration stores the provided configuration for an encryption provider.

Field	Description
aesgcm [Required] AESConfiguration	aesgcm is the configuration for the AES-GCM transformer.
aescbc [Required] AESConfiguration	aescbc is the configuration for the AES-CBC transformer.
secretbox [Required] SecretboxConfiguration	secretbox is the configuration for the Secretbox based transformer.
identity [Required] IdentityConfiguration	identity is the (empty) configuration for the identity transformer.
kms [Required] KMSConfiguration	kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.

ResourceConfiguration

Appears in:

• EncryptionConfiguration

ResourceConfiguration stores per resource configuration.

Field	Description
resources [Required] []string	resources is a list of kubernetes resources which have to be encrypted.
providers [Required] []ProviderConfiguration	providers is a list of transformers to be used for reading and writing the resources to disk. eg: aesgcm, aescbc, secretbox, identity.

SecretboxConfiguration

Appears in:

• ProviderConfiguration

SecretboxConfiguration contains the API configuration for an Secretbox transformer.

Field	Description
keys [Required] []Key	keys is a list of keys to be used for creating the Secretbox transformer. Each key has to be 32 bytes long.