ETCD Encryption Config

The spec.kubernetes.kubeAPIServer.encryptionConfig field in the Shoot API allows users to customize encryption configurations for the API server. It provides options to specify additional resources for encryption beyond secrets.

Usage Guidelines

• The resources field can be used to specify resources that should be encrypted in addition to secrets. Secrets are always encrypted.
  • Each item is a Kubernetes resource name in plural (resource or resource.group). Wild cards are not supported.
  • Adding an item to this list will cause patch requests for all the resources of that kind to encrypt them in the etcd. See Encrypting Confidential Data at Rest for more details.
  • Removing an item from this list will cause patch requests for all the resources of that type to decrypt and rewrite the resource as plain text. See Decrypt Confidential Data that is Already Encrypted at Rest for more details.
• The provider field specifies which provider type is used for encryption.
  • Supported provider types:
    • aescbc
    • aesgcm
    • secretbox
  • The default encryption provider is aescbc.
  • This field is immutable.
  • Only newly created Shoots can specify the aesgcm and secretbox encryption providers.
  • Important for aesgcm: The aesgcm provider uses 96-bit IVs (nonces), and per NIST SP 800-38D, the total number of encryption invocations with a given key should not exceed 2³². To mitigate the risk of nonce collisions, Gardener defaults and requires ETCD encryption key auto-rotation to be enabled. By default, the rotation period is set to 28 days for newly created Shoots. The maximum allowed rotation period for aesgcm is 90 days.

Example Usage in a Shoot

spec:
  kubernetes:
    kubeAPIServer:
      encryptionConfig:
        resources:
          - configmaps
          - statefulsets.apps
          - customresource.fancyoperator.io
        provider:
          type: "aesgcm"