KMS plugin support for MKE

Mirantis Kubernetes Engine (MKE) 3.2.5 adds support for a Key Management Service (KMS) plugin to allow access to third-party secrets management solutions, such as Vault. This plugin is used by MKE for access from Kubernetes clusters.

Deployment

KMS must be deployed before a machine becomes a MKE manager or it may be considered unhealthy. MKE will not health check, clean up, or otherwise manage the KMS plugin.

Configuration

KMS plugin configuration should be done through MKE. MKE will maintain ownership of the Kubernetes EncryptionConfig file, where the KMS plugin is configured for Kubernetes. MKE does not currently check this file’s contents after deployment.

MKE adds new configuration options to the cluster configuration table. These options are not exposed through the web UI, but can be configured via the API.

The following table shows the configuration options for the KMS plugin. These options are not required.

Parameter

Type

Description

kms_enabled

bool

Determines if MKE should configure a KMS plugin.

kms_name

string

Name of the KMS plugin resource (for example, “vault”).

kms_endpoint

string

Path of the KMS plugin socket. This path must refer to a UNIX socket on the host (for example, “/tmp/socketfile.sock”). MKE will bind mount this file to make it accessible to the API server.

kms_cachesize

int

Number of data encryption keys (DEKs) to be cached in the clear.

See also

Kubernetes