mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
91 lines
2.6 KiB
Plaintext
91 lines
2.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/encrypting-etcd.adoc
|
|
// * post_installation_configuration/cluster-tasks.adoc
|
|
|
|
:_content-type: PROCEDURE
|
|
[id="disabling-etcd-encryption_{context}"]
|
|
= Disabling etcd encryption
|
|
|
|
You can disable encryption of etcd data in your cluster.
|
|
|
|
.Prerequisites
|
|
|
|
* Access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
.Procedure
|
|
|
|
. Modify the `APIServer` object:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit apiserver
|
|
----
|
|
|
|
. Set the `encryption` field type to `identity`:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
spec:
|
|
encryption:
|
|
type: identity <1>
|
|
----
|
|
<1> The `identity` type is the default value and means that no encryption is performed.
|
|
|
|
. Save the file to apply the changes.
|
|
+
|
|
The decryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of your cluster.
|
|
|
|
. Verify that etcd decryption was successful.
|
|
|
|
.. Review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully decrypted:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
|
|
----
|
|
+
|
|
The output shows `DecryptionCompleted` upon successful decryption:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
DecryptionCompleted
|
|
Encryption mode set to identity and everything is decrypted
|
|
----
|
|
+
|
|
If the output shows `DecryptionInProgress`, decryption is still in progress. Wait a few minutes and try again.
|
|
|
|
.. Review the `Encrypted` status condition for the Kubernetes API server to verify that its resources were successfully decrypted:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
|
|
----
|
|
+
|
|
The output shows `DecryptionCompleted` upon successful decryption:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
DecryptionCompleted
|
|
Encryption mode set to identity and everything is decrypted
|
|
----
|
|
+
|
|
If the output shows `DecryptionInProgress`, decryption is still in progress. Wait a few minutes and try again.
|
|
|
|
.. Review the `Encrypted` status condition for the OpenShift OAuth API server to verify that its resources were successfully decrypted:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
|
|
----
|
|
+
|
|
The output shows `DecryptionCompleted` upon successful decryption:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
DecryptionCompleted
|
|
Encryption mode set to identity and everything is decrypted
|
|
----
|
|
+
|
|
If the output shows `DecryptionInProgress`, decryption is still in progress. Wait a few minutes and try again.
|