eks中启用secret加密
eks可以启用为集群中加密的功能,这个功能能够确保 合规性 ,同时不需要用户介入操作
使用方法很简单,用户有 create grant的权限就能够为eks集群启用
启用过后可以看到一个creategrant的cloudtrail,这时候再用命令创建secret就能够实现自动加密
这里的坑是说不能删除这个key 同时不能手动revoke这个grant 否则即便加回来也不能正常使用了, 这里怀疑跟信封加密或者主密钥在eks的缓存相关,未验证。
删了grant报错如下
k create secret generic --from-literal i=b testi
error: failed to create secret Internal error occurred: rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: Error while dialing di
al unix /var/run/kmsplugin/socket.sock: connect: no such file or directory"
[ec2-user@ip-10-0-0-34 ~]$ k create secret generic --from-literal i=b testi
error: failed to create secret Internal error occurred: rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: Error while dialing di
al unix /var/run/kmsplugin/socket.sock: connect: no such file or directory"
[ec2-user@ip-10-0-0-34 ~]$ k create secret generic --from-literal i=b testi
error: failed to create secret Internal error occurred: rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: Error while dialing di
al unix /var/run/kmsplugin/socket.sock: connect: no such file or directory"
[ec2-user@ip-10-0-0-34 ~]$ k get secrets testh -o yaml
apiVersion: v1
data:
h: Yg==
kind: Secret
metadata:
creationTimestamp: "2023-05-06T10:06:50Z"
name: testh
namespace: default
resourceVersion: "82014"
uid: 8ce8f4e0-c266-4ae7-b42b-27e24821415e
type: Opaque
把那个grant手动加回来报错如下
[ec2-user@ip-10-0-0-34 ~]$ k create secret generic --from-literal i=b testi
error: failed to create secret Internal error occurred: rpc error: code = Unknown desc = failed to encrypt AccessDeniedException:
status code: 400, request id: 2221568f-8f6e-44ce-ac5f-fcd34a571548
[ec2-user@ip-10-0-0-34 ~]$ client_loop: send disconnect: Connection reset题外话 eks中的crt解密命令
echo -n "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1EVXlNVEF3TVRReU0xb1hEVE16TURVeE9EQXdNVFF5TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUpTCkF2WmZucXd0K1JncmthdDBxUURFZmxjd0w3M24wbVcyS2ltcXZ0VU1HQWVFNUV6YmlGU0FWeS9KeHdFYk1TOHAKbm1PT3hQWW01VFZMS2JQOFJaYWJ1bkpSVFRaRy9YZzhxZlplbGZSTy9GTlB1MnJqcnp1UzVlYXJheGhmaVZLcApVVGROZ1RsN0R5V2E5R1RMWU5iMjFocFZJbkFnOEEzS2RXUk9IQ0xjYUtpRHNJTC9GMmt4ajBETzFHc0ZTcSt3Cm1wUGhMN3lYeUFwNFdMRXhOWjMwb3FycHJ6Y3lxT2JrTFJiL0J5dzZ4MmxTMStoSkZ5MkRHa1RKYWxlZ2lQdy8KcnJ0VlV6eU1idFBUNEsxRW9qVzRvMXpoeHFOOUVmMnJlMWpPZG9lL01hajZLREE3Rjd3bWRLNmlGUW9RWGkrUwptR2ZWOWdNU21odmxFRFg1bEY4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCbWNxdGlnb2Z5bzJPK2NlWDdtdlMwWlM0VGtNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSTJUbUtqUk5lZ01vT3hzVkduMApyWFBRbGEzQkc0clUxemVjQnMzQ3krSUVqTmM2U0xXQnhwVnlPQzIyaEh2U1dmWHI5ckdpUzJ0dXJGdlVKYUIvCjVtTStrUWh0STZ6ZVlvMzlFYjNoUTFQaCtNVkM5UGtvK1dkWEJ0dS9jRHFMTUF6WjlFSWhCM25RMnNhd0ZjbFYKcDUwOFlPWU0vNU80QjdDVUZJYzExK0FtdmJiTVNDWXBDMTJDNzlLOEgvVU9KY1pKS1UxUGRLNVllZUdqTUp0RQpFM1c5cWZHZ01NeUJFS0QzcCt3MEpuSGRNM0pMUXArR1M5bzBQWFd3czFUZlIycjAxek81MjdVYlE5a1hweGt5CjFSZ1BBU3p5VjFTMmQvd0pxeldCUi9mMERUdWZDSTZYSmN2QlRkNGFJZzJUTm9LUUUvWlI5U2prV2IrMFFSSVAKdVRVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="|base64 -d | openssl x509 -text -noout
