Kubernetes-native encryption
Data in payloads written in etcd is not encrypted but encoded in base64, which is almost equivalent to clear text. Encrypting the data contained in the payload will protect from the aforementioned protection mechanisms, but not replace them!
Interestingly enough, we have established that our Kubernetes key-value store, also known as etcd, does not provide any encryption capabilities except for the networking part, nor does Kubernetes provide advanced KMS capabilities as HashiCorp Vault or Azure Key Vault would.
However, the Kubernetes project has designed a KMS framework within kube-apiserver
, the service validating and configuring data for the API objects, to leverage one of the following encryption providers: