Wednesday, October 10, 2018

BYOK to encrypt Kubernetes secrets on IBM Cloud

Add Key Protect
Few days ago, it was announced that IBM Cloud Key Protect integrates with the Kubernetes Service. It means that cluster secrets such as service credentials, TLS certificate information and other confidential information can be encrypted using a managed root key. That root key is either generated or can be imported (bring your own key, BYOK). What needs to be done to wrap this additional layer of security around your cluster? Read on.

Adding Key Protect to your Kubernetes Cluster

Enabling a cluster to use an existing Key Protect instance can be done in the IBM Cloud console or on the command line. In the console go to your Kubernetes cluster overview, select a cluster and in the overview section should be a new button to enable Key Protect:
Enable Key Protect for Kubernetes

You are guided through picking a Key Protect service and root key (assuming you already have both). On the command line, there is a new subcommand for the Kubernetes service plugin to enable Key Protect. The help option has links on how to obtain the parameter values:

ibmcloud ks key-protect-enable --cluster henrik-cluster01-de --key-protect-url --key-protect-instance cc286-a6a0-3e0de0f33b12 --crk 5aac9fe7-3f87-4333-a8858

Finding out that Key Protect is enabled

After you enabled a cluster to use Key Protect, the next obvious question is to prove it. How do you find out that it is indeed turned on? In the console, go to the cluster information again:
Key Protect is enabled
Using the Update link you could change the Key Protect configuration. On the command line, fetch the cluster information:
ibmcloud ks cluster-get henrik-cluster01-de --json

The "--json" flag is handy for scripting in toolchains.


Enabling Key Protect to use your keys for encrypting confidential data, secrets, in a Kubernetes cluster is easy. Few clicks or a single command add extra security and look nice in compliance audits... ;-)

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.