You are viewing documentation for Kubernetes version: v1.23
Kubernetes v1.23 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.
kube-apiserver Encryption Configuration (v1)
Package v1 is the v1 version of the API.
Resource Types
EncryptionConfiguration    
EncryptionConfiguration stores the complete configuration for encryption providers.
| Field | Description | 
|---|---|
| apiVersionstring | apiserver.config.k8s.io/v1 | 
| kindstring | EncryptionConfiguration | 
| resources[Required][]ResourceConfiguration | resources is a list containing resources, and their corresponding encryption providers. | 
AESConfiguration    
Appears in:
AESConfiguration contains the API configuration for an AES transformer.
| Field | Description | 
|---|---|
| keys[Required][]Key | keys is a list of keys to be used for creating the AES transformer. Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM. | 
IdentityConfiguration    
Appears in:
IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.
KMSConfiguration    
Appears in:
KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.
| Field | Description | 
|---|---|
| name[Required]string | name is the name of the KMS plugin to be used. | 
| cachesizeint32 | cachesize is the maximum number of secrets which are cached in memory. The default value is 1000. Set to a negative value to disable caching. | 
| endpoint[Required]string | endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock". | 
| timeoutmeta/v1.Duration | timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds. | 
Key    
Appears in:
Key contains name and secret of the provided key for a transformer.
| Field | Description | 
|---|---|
| name[Required]string | name is the name of the key to be used while storing data to disk. | 
| secret[Required]string | secret is the actual key, encoded in base64. | 
ProviderConfiguration    
Appears in:
ProviderConfiguration stores the provided configuration for an encryption provider.
| Field | Description | 
|---|---|
| aesgcm[Required]AESConfiguration | aesgcm is the configuration for the AES-GCM transformer. | 
| aescbc[Required]AESConfiguration | aescbc is the configuration for the AES-CBC transformer. | 
| secretbox[Required]SecretboxConfiguration | secretbox is the configuration for the Secretbox based transformer. | 
| identity[Required]IdentityConfiguration | identity is the (empty) configuration for the identity transformer. | 
| kms[Required]KMSConfiguration | kms contains the name, cache size and path to configuration file for a KMS based envelope transformer. | 
ResourceConfiguration    
Appears in:
ResourceConfiguration stores per resource configuration.
| Field | Description | 
|---|---|
| resources[Required][]string | resources is a list of kubernetes resources which have to be encrypted. | 
| providers[Required][]ProviderConfiguration | providers is a list of transformers to be used for reading and writing the resources to disk. eg: aesgcm, aescbc, secretbox, identity. | 
SecretboxConfiguration    
Appears in:
SecretboxConfiguration contains the API configuration for an Secretbox transformer.
| Field | Description | 
|---|---|
| keys[Required][]Key | keys is a list of keys to be used for creating the Secretbox transformer. Each key has to be 32 bytes long. |