Hope I understood it wrong, but during KMS Decryption section you mentioned that a user use KMS CMK to generate another Plaintext DEK to decrypt cypher text data. Based on my knowledge, Encrypted DEK stored with cypher text is sent to KMS to be decrypted and then used in decryption process.
Good question....for such AWS EKS managed services we have to use AWS provided architectures to use AWS secret managers using IAM & secret store CSI or so( pls have a look at my video on CSI inline volumes) There is other simple way also you can acceess secrets from EKS cluster pods using IAM roles
To Achieve this need Vault KMS Provider for kubernetes... I can see few i.e. by oracle & ondat github.com/oracle/kubernetes-vault-kms-plugin www.ondat.io/webinars/secure-all-your-k8s-secrets-with-a-kms-provider-plugin-and-hashicorp-vault Sorry i dont have much more information on this. However Once KMS v2 goes GA there will be many providers for sure
I just updated the "kube-apiserver.yaml" just like you told in the video. How much downtime is estimated for the nodes to be back?
2 to 5 minutes max (if all good with configuration)
Hope I understood it wrong, but during KMS Decryption section you mentioned that a user use KMS CMK to generate another Plaintext DEK to decrypt cypher text data. Based on my knowledge, Encrypted DEK stored with cypher text is sent to KMS to be decrypted and then used in decryption process.
Yes you are correct... during decryption, encryption DEK will be sent to KMS to generate plain text DEK. Thanks
Thanks for the useful Video. Can I know how to use the same method for AWS EKS where we dont have access to API server and ETCD.
Good question....for such AWS EKS managed services we have to use AWS provided architectures to use AWS secret managers using IAM & secret store CSI or so( pls have a look at my video on CSI inline volumes)
There is other simple way also you can acceess secrets from EKS cluster pods using IAM roles
Slack link in the description is not working.
Could you provide the new link ?
Pls use new link i just updated in the description
Is there possible to integrate vault here ?? Is that recommended??
To Achieve this need Vault KMS Provider for kubernetes... I can see few i.e. by oracle & ondat
github.com/oracle/kubernetes-vault-kms-plugin
www.ondat.io/webinars/secure-all-your-k8s-secrets-with-a-kms-provider-plugin-and-hashicorp-vault
Sorry i dont have much more information on this. However Once KMS v2 goes GA there will be many providers for sure
@@learnwithgvr thanks for your reply sir ♥️
Could you do video on external secret operator syncing with k8s
Good topic. Sure will try
@@learnwithgvraws SSM and vault also we can use for that I guess
@@learnwithgvr could you please do a video there are only few videos there for this
promosm