《OpenShift / RHEL / DevSecOps 汇总目录》
说明:本文已经在 OpenShift 4.14 的环境中验证
OpenShift 对 etcd 数据库加密时只加密值,而不加密键。而资源类型、命名空间和对象名称是未加密的。
$ oc edit apiserver
spec:
encryption:
type: aesgcm
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
EncryptionInProgress
Resource routes.route.openshift.io is being encrypted
当返回以下结果代表加密完成。
EncryptionCompleted
All resources encrypted: routes.route.openshift.io
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
EncryptionCompleted
All resources encrypted: secrets, configmaps
$ strings ~/db | grep my-secret -A 10
-/kubernetes.io/secrets/pod-security/my-secret
k8s:enc:aesgcm:v1:1:
fB/7J
JzCF6
A/kubernetes.io/secrets/pod-security/sa-privileged-dockercfg-6f4hv
sk8s:enc:aesgcm:v1:1:
]_ZodzH
1xse
,t]Fm
5EWg
a?~(
spec:
encryption:
type: identity
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
DecryptionInProgress
Encryption mode set to identity and decryption is not finished
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
DecryptionCompleted
Encryption mode set to identity and everything is decrypted