Let's assume that I have implemented encryption at rest using a KMS provider and have encrypted my secrets within the etcd. Furthermore, let's assume that I have specified that secrets shall be mounted as files onto the pods.
Are the secrets going to be stored encrypted inside the secrets file in the pod?
CodePudding user response:
The secret data is stored in encrypted form in etcd only. Upon retrieval the Kubernetes API server decrypts it before it is used downstream, which is, pod in your question. In general, encryption at rest encrypts upon write to the said storage medium and decrypts upon read. The pod is not the reader, api server is.
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#verifying-that-data-is-encrypted