Configure KMS plugin for MKE¶
Mirantis Kubernetes Engine (MKE) offers support for a Key Management Service (KMS) plugin that allows access to third-party secrets management solutions, such as Vault. MKE uses this plugin to facilitate access from Kubernetes clusters.
MKE will not health check, clean up, or otherwise manage the KMS plugin. Thus, you must deploy KMS before a machine becomes a MKE manager, or else it may be considered unhealthy.
Configuration¶
Use MKE to configure the KMS plugin configuration. MKE maintains ownership of the Kubernetes EncryptionConfig file, where the KMS plugin is configured for Kubernetes. MKE does not check the file contents following deployment.
MKE adds new configuration options to the cluster configuration table. Configuration of these options takes place through the API and not the MKE web UI.
The following table presents the configuration options for the KMS plugin, all of which are optional.
Parameter |
Type |
Description |
---|---|---|
|
bool |
Sets MKE to configure a KMS plugin. |
|
string |
Name of the KMS plugin resource (for example, |
|
string |
Path of the KMS plugin socket. The path must refer to a UNIX socket on
the host (for example, |
kms_cachesize |
int |
Number of data encryption keys (DEKs) to cache in the clear. |