Secret 加密配置
K3s 支持启用静态加密。首次启动 server 时,传递标志 --secrets-encryption 将自动执行以下操作:
-
生成 AES-CBC 密钥
-
使用密钥生成加密配置文件
-
将配置作为 encryption-provider-config 传递给 KubeAPI
|
如果不重新启动现有 server,则无法在其上启用 Secret 加密。 |
Choosing Encryption Provider
|
Version Gate
Available as of the April 2025 releases: v1.30.12+k3s1, v1.31.8+k3s1, v1.32.4+k3s1, v1.33.0+k3s1. |
Using the --secrets-encryption-provider flag, you can choose from the following K3s-supported encryption providers:
-
aescbc: AES-CBC with PKCS#7 padding. This is the default provider. -
secretbox: XSalsa20 and Poly1305
Generated encryption config file
When you start the server with --secrets-encryption, K3s will generate an encryption config file at /var/lib/rancher/k3s/server/cred/encryption-config.json.
Below is an example of the generated encryption config file with the default aescbc provider:
{
"kind": "EncryptionConfiguration",
"apiVersion": "apiserver.config.k8s.io/v1",
"resources": [
{
"resources": [
"secrets"
],
"providers": [
{
"aescbc": {
"keys": [
{
"name": "aescbckey",
"secret": "xxxxxxxxxxxxxxxxxxx"
}
]
}
},
{
"identity": {}
}
]
}
]
}Secret 加密工具
K3s 包含一个实用工具 secrets-encrypt,可以自动控制以下内容:
-
禁用/启用 Secret 加密
-
添加新的加密密钥
-
轮换和删除加密密钥
-
重新加密 Secret
有关详细信息,请参阅 k3s secrets-encrypt 命令文档。