检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Using KMS to Encrypt Secrets at Rest At-rest encryption of secrets is a static data encryption mechanism provided by Kubernetes.
This section describes how to use the keys managed by Data Encryption Workshop (DEW) to encrypt EVS disks. Prerequisites You have created a cluster and installed the CCE Container Storage (Everest) add-on in the cluster. An available key has been created in DEW.
Encrypting an OBS Volume You can use server-side encryption to encrypt data uploaded to OBS, enhancing storage security and compliance. The OBS server encrypts objects before storing them and decrypts them when accessed, returning the decrypted data to the client.
Secret Encryption: You can encrypt Kubernetes secrets stored in CCE using envelope encryption with KMS keys. For details, see Using KMS to Encrypt Secrets at Rest.
For details, see Using KMS to Encrypt Secrets at Rest. This function is in the initial rollout stage. For details about the regions where this function is available, see the console.
Encryption Configure whether to encrypt underlying storage. If you select Enabled (key), an encryption key must be configured. Before using encryption, check whether the region where the EVS disk is located supports disk encryption.
This API uses AES-GCM to replace AES-CBC and uses DEK to encrypt data at rest (Kubernetes Secrets). No additional operation is required during this process. Additionally, data can be read through AES-GCM and AES-CBC. For details, see Using a KMS provider for data encryption.
This API uses AES-GCM to replace AES-CBC and uses DEK to encrypt data at rest (Kubernetes Secrets). No additional operation is required during this process. Additionally, data can be read through AES-GCM and AES-CBC. For details, see Using a KMS provider for data encryption.
Encrypt sensitive information before creating a secret and decrypt the information when using it. Using a Bound ServiceAccount Token to Access a Cluster The secret-based ServiceAccount token does not support expiration time or auto update.
Encryption Configure whether to encrypt underlying storage. If you select Enabled (key), an encryption key must be configured. Enterprise Project This parameter is available only for enterprise accounts with enterprise projects enabled.
Encryption Configure whether to encrypt underlying storage. If you select Enabled (key), an encryption key must be configured. Before using encryption, check whether the region where the EVS disk is located supports disk encryption.
Encryption Configure whether to encrypt underlying storage. If you select Enabled (key), an encryption key must be configured. Enterprise Project This parameter is available only for enterprise accounts with enterprise projects enabled.
Buying a Cluster Comparison Between Cluster Types Buying a CCE Standard/Turbo Cluster Using Edge Cloud Resources in a Remote CCE Turbo Cluster Using KMS to Encrypt Secrets at Rest Comparing iptables and IPVS Parent Topic: Clusters
If you use YAML to create a secret, you need to manually encrypt its value using Base64. echo -n "Content to be encoded" | base64 Unmatched Container Image Tag with the Node Architecture The proper image tag is not used during the workload creation on an Arm node.
