Information
Where etcd encryption is used, appropriate providers should be configured.
Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc kms and secretbox are likely to be appropriate options.
Solution
Follow the OpenShift documentation for
encrypting etcd data
.
Impact:
When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:
- Secrets
- ConfigMaps
- Routes
- OAuth access tokens
- OAuth authorize tokens
When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.