Configure the kube-apiserver to use the KMS plugin for data at rest encryption. The changes need to be made in the api-server yaml file '/etc/kubernetes/manifests/kube-apiserver.yaml'.
-
Set the
--encryption-provider-configflag on the kube-apiserver to point to the location of the encryption configuration file. Under the command section, addencryption-provider-config=/etc/kubernetes/encryption-config.yamlto enable the use of an external encryption provider.
Highlighted the changes for encryption provider flag addition
-
In the volumeMounts section, add the following entries.
Highlighted the changes for volumeMounts section
-
In the volumes section, add the corresponding volume definitions.
Highlighted the changes for volumes section
-
Save the kube-apiserver yaml file and restart the kube-apiserver.