Enabling Encryption
To enable encryption when creating a cluster you need to create a new KMS key that has an alias name starting with cluster-api-provider-aws-
.
For example, arn:aws:kms:eu-north-1:12345678901:alias/cluster-api-provider-aws-key1
.
You then need to specify the key ARN in the encryptionConfig
of the AWSManagedControlPlane
:
kind: AWSManagedControlPlane
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
metadata:
name: "capi-managed-test-control-plane"
spec:
...
encryptionConfig:
provider: "arn:aws:kms:eu-north-1:12345678901:key/351f5544-6130-42e4-8786-2c85e546fc2d"
resources:
- "secrets"
You must use the ARN of the key and not the ARN of the alias.
Custom KMS Alias Prefix
If you would like to use a different alias prefix then you can use the kmsAliasPrefix
in the optional configuration file for clusterawsadm:
clusterawsadm bootstrap iam create-stack --config custom-prefix.yaml
And the contents of the configuration file:
apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSIAMConfiguration
spec:
eks:
enable: true
kmsAliasPrefix: "my-prefix-*