 |
| Add Key Protect |
Adding Key Protect to your Kubernetes Cluster
Enabling a cluster to use an existing Key Protect instance can be done in the IBM Cloud console or on the command line. In the console go to your Kubernetes cluster overview, select a cluster and in the overview section should be a new button to enable Key Protect: |
| Enable Key Protect for Kubernetes |
You are guided through picking a Key Protect service and root key (assuming you already have both). On the command line, there is a new subcommand for the Kubernetes service plugin to enable Key Protect. The help option has links on how to obtain the parameter values:
ibmcloud ks key-protect-enable --cluster henrik-cluster01-de --key-protect-url keyprotect.us-south.bluemix.net --key-protect-instance cc286-a6a0-3e0de0f33b12 --crk 5aac9fe7-3f87-4333-a8858
Finding out that Key Protect is enabled
After you enabled a cluster to use Key Protect, the next obvious question is to prove it. How do you find out that it is indeed turned on? In the console, go to the cluster information again: |
| Key Protect is enabled |
ibmcloud ks cluster-get henrik-cluster01-de --json
The "--json" flag is handy for scripting in toolchains.
Summary
Enabling Key Protect to use your keys for encrypting confidential data, secrets, in a Kubernetes cluster is easy. Few clicks or a single command add extra security and look nice in compliance audits... ;-)If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.