mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
95 lines
2.9 KiB
Plaintext
95 lines
2.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/encrypting-etcd.adoc
|
|
// * post_installation_configuration/cluster-tasks.adoc
|
|
|
|
[id="enabling-etcd-encryption_{context}"]
|
|
= Enabling etcd encryption
|
|
|
|
You can enable etcd encryption to encrypt sensitive resources in your cluster.
|
|
|
|
[WARNING]
|
|
====
|
|
It is not recommended to take a backup of etcd until the initial encryption process is complete. If the encryption process has not completed, the backup might be only partially encrypted.
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* Access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
.Procedure
|
|
|
|
. Modify the `APIServer` object:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit apiserver
|
|
----
|
|
|
|
. Set the `encryption` field type to `aescbc`:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
spec:
|
|
encryption:
|
|
type: aescbc <1>
|
|
----
|
|
<1> The `aescbc` type means that AES-CBC with PKCS#7 padding and a 32 byte key is used to perform the encryption.
|
|
|
|
. Save the file to apply the changes.
|
|
+
|
|
The encryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of your cluster.
|
|
|
|
. Verify that etcd encryption was successful.
|
|
|
|
.. Review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully encrypted:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
|
|
----
|
|
+
|
|
The output shows `EncryptionCompleted` upon successful encryption:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
EncryptionCompleted
|
|
All resources encrypted: routes.route.openshift.io
|
|
----
|
|
+
|
|
If the output shows `EncryptionInProgress`, encryption is still in progress. Wait a few minutes and try again.
|
|
|
|
.. Review the `Encrypted` status condition for the Kubernetes API server to verify that its resources were successfully encrypted:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
|
|
----
|
|
+
|
|
The output shows `EncryptionCompleted` upon successful encryption:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
EncryptionCompleted
|
|
All resources encrypted: secrets, configmaps
|
|
----
|
|
+
|
|
If the output shows `EncryptionInProgress`, encryption is still in progress. Wait a few minutes and try again.
|
|
|
|
.. Review the `Encrypted` status condition for the OpenShift OAuth API server to verify that its resources were successfully encrypted:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
|
|
----
|
|
+
|
|
The output shows `EncryptionCompleted` upon successful encryption:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
EncryptionCompleted
|
|
All resources encrypted: oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io
|
|
----
|
|
+
|
|
If the output shows `EncryptionInProgress`, encryption is still in progress. Wait a few minutes and try again.
|