Last modified October 12, 2017
This reference gives you details on security-related measures in a Giant Swarm installation.
Encryption of secrets
Secret encryption is ensured by running the Kubernetes
api-server with the flag
--experimental-encryption-provider-config. This means that all secrets are stored in Etcd in encrypted form and decrypted when accessed.
AES-CDC 32 Byte encryption key used is created by a custom management service (
kubernetesd) during cluster creation. The operator component that creates the cluster retrieves this encryption key and provides it to the
EncryptionConfig resource for
To learn more about secret encryption, look up Encrypting data at rest in the official Kubernetes documentation.
This section applies to AWS-based installations only.
Encryption of local storage
Non-persistent volumes as well as docker images and logs are stored under
/var/lib/docker. On AWS,
/var/lib/docker is an Elastic Block Storage (EBS) volume. This volume is encrypted via AWS EBS Encryption. The key is created, stored and deleted using AWS Key Management Service (KMS).
Encryption of persistent storage
Persistent storage is managed by the
StorageClass resource in Kubernetes. By default, the
StorageClass resource is provided as an Elastic Block Storage (EBS) volumes. These volumes are encrypted via AWS EBS Encryption. The key is created, stored and deleted using AWS Key Management Service (KMS).