Skip to content
/ k8s-gcp-secret-manager-plugin Public

Kubernetes encryption configuration KMS provider using GCP Secret Manager

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ymchun/k8s-gcp-secret-manager-plugin

BranchesTags

Repository files navigation

k8s-gcp-secret-manager-plugin

Build Status

KMS provider for Kubernetes encryption configuration using GCP Secret Manager

Prerequisite

  • You have created a secret and store it into GCP Secret Manager.
  • You have a JSON format credentials file of a service account with proper role permission.
    • Required Roles:
      • Secret Manager Secret Accessor
      • Secret Manager Viewer

Install as a Linux service

[Unit]
Description=K8S GCP Secret Manager Plugin
After=network-online.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=on-failure
RestartSec=1
User=root
ExecStart=/bin/k8splugin -credentials path/to/gcp/credentials/file -key-uri projects/project-id/secrets/my-key-name/versions/1
SyslogIdentifier=k8splugin

[Install]
WantedBy=multi-user.target
  1. Create a new file called k8splugin.service with the following content:
  2. Put the file to path /etc/systemd/system/k8splugin.service
  3. Start the service systemctl start k8splugin
  4. Start the service on boot systemctl enable k8splugin

Command line arguments

Example command:

$ k8splugin -credentials path/to/gcp/credentials/file -key-uri projects/project-id/secrets/my-key-name/versions/1

Arguments:

-alsologtostderr
    log to standard error as well as files

-credentials string
    Path to GCP Secret Manager service account credentials JSON file

-key-uri projects/*/secrets/*/versions/*
    Resource ID of the secret in the format projects/*/secrets/*/versions/*

-log_backtrace_at value
    when logging hits line file:N, emit a stack trace

-log_dir string
    If non-empty, write log files in this directory

-logtostderr
    log to standard error instead of files

-stderrthreshold value
    logs at or above this threshold go to stderr

-unix-socket string
    Full path to Unix socket that is used for communicating with KubeAPI Server,
    or Linux socket namespace object - must start with @ (default "/var/run/k8splugin.sock")

-v value
    log level for V logs

-vmodule value
    comma-separated list of pattern=N settings for file-filtered logging

Configuration (For more detail, see Learn more section)

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - kms:
          name: GCPSecretManager
          # this should match your k8splugin socket path
          # set with -unix-socket or default: /var/run/k8splugin.sock
          endpoint: unix:///var/run/k8splugin.sock
          cachesize: 10
          timeout: 3s
      - identity: {}
  1. Create a new encryption configuration file using the appropriate properties for the kms provider:
  2. Set the --encryption-provider-config=path-to-yaml-file flag on the kube-apiserver to point to the location of the configuration file.
  3. Restart your API server.

Learn more

About

Kubernetes encryption configuration KMS provider using GCP Secret Manager

Topics

secret gcp k8s kms-provider encryption-configuration

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages