{"id":15291723,"url":"https://github.com/azure/kubernetes-kms","last_synced_at":"2025-04-12T21:33:51.181Z","repository":{"id":37502954,"uuid":"123493343","full_name":"Azure/kubernetes-kms","owner":"Azure","description":"🔐 Azure Key Vault KMS plugin for Kubernetes","archived":false,"fork":false,"pushed_at":"2025-01-24T15:05:33.000Z","size":604,"stargazers_count":178,"open_issues_count":50,"forks_count":53,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-04-04T01:37:37.552Z","etag":null,"topics":["encryption","etcd","keyvault","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Azure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-01T21:16:46.000Z","updated_at":"2025-04-03T20:11:08.000Z","dependencies_parsed_at":"2024-06-18T21:22:51.638Z","dependency_job_id":"ac00be73-d12d-49d9-a2ad-607299d83c93","html_url":"https://github.com/Azure/kubernetes-kms","commit_stats":{"total_commits":186,"total_committers":19,"mean_commits":9.789473684210526,"dds":0.6881720430107527,"last_synced_commit":"2b68d2ffd65d33a3d08f326f513944df0afe9f3e"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Azure%2Fkubernetes-kms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Azure%2Fkubernetes-kms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Azure%2Fkubernetes-kms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Azure%2Fkubernetes-kms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Azure","download_url":"https://codeload.github.com/Azure/kubernetes-kms/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248636815,"owners_count":21137527,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","etcd","keyvault","kubernetes"],"created_at":"2024-09-30T16:14:07.464Z","updated_at":"2025-04-12T21:33:51.152Z","avatar_url":"https://github.com/Azure.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# KMS Plugin for Key Vault\n\n[![Build Status](https://dev.azure.com/AzureContainerUpstream/Kubernetes%20KMS/_apis/build/status/Kubernetes%20KMS%20CI?branchName=master)](https://dev.azure.com/AzureContainerUpstream/Kubernetes%20KMS/_build/latest?definitionId=442\u0026branchName=master)\n[![Go Report Card](https://goreportcard.com/badge/Azure/kubernetes-kms)](https://goreportcard.com/report/Azure/kubernetes-kms)\n![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/Azure/kubernetes-kms)\n![GitHub release (latest by date)](https://img.shields.io/github/v/release/Azure/kubernetes-kms)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Azure/kubernetes-kms/badge)](https://api.securityscorecards.dev/projects/github.com/Azure/kubernetes-kms)\n\nEnables encryption at rest of your Kubernetes data in etcd using Azure Key Vault.\n\nFrom the Kubernetes documentation on [Encrypting Secret Data at Rest]:\n\n\u003e _[KMS Plugin for Key Vault is]_ the recommended choice for using a third party tool for key management. Simplifies key rotation, with a new data encryption key (DEK) generated for each encryption, and key encryption key (KEK) rotation controlled by the user.\n\n⚠️ **NOTE**: Currently, KMS plugin for Key Vault does not support key rotation. If you create a new key version in KMS, decryption will fail since it won't match the key used for encryption when the cluster was created.\n\n💡 **NOTE**: To integrate your application secrets from a key management system outside of Kubernetes, use [Azure Key Vault Provider for Secrets Store CSI Driver].\n\n## Features\n\n- Use a key in Key Vault for etcd encryption\n- Use a key in Key Vault protected by a Hardware Security Module (HSM)\n- Bring your own keys\n- Store secrets, keys, and certs in etcd, but manage them as part of Kubernetes\n\n## Getting Started\n\n### Prerequisites\n\n💡 Make sure you have a Kubernetes cluster version 1.10 or later, the minimum version that is supported by KMS Plugin for Key Vault.\n\n### Azure Kubernetes Service (AKS)\n\nAzure Kubernetes Service ([AKS]) creates managed, supported Kubernetes clusters on Azure.\n\nTo enable encryption at rest for Kubernetes resources in etcd, check out the KMS plugin for Key Vault on AKS feature in this [doc](https://docs.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption).\n\n### Setting up KMS Plugin manually\n\nRefer to [doc](docs/manual-install.md) for steps to setup the KMS Key Vault plugin on an existing cluster.\n\n## Verifying that Data is Encrypted\n\nNow that Azure KMS provider is running in your cluster and the encryption configuration is setup, it will encrypt the data in etcd. Let's verify that is working:\n\n1. Create a new secret:\n\n   ```bash\n   kubectl create secret generic secret1 -n default --from-literal=mykey=mydata\n   ```\n\n2. Using `etcdctl`, read the secret from etcd:\n\n   ```bash\n   sudo ETCDCTL_API=3 etcdctl --cacert=/etc/kubernetes/certs/ca.crt --cert=/etc/kubernetes/certs/etcdclient.crt --key=/etc/kubernetes/certs/etcdclient.key get /registry/secrets/default/secret1\n   ```\n\n3. Check that the stored secret is prefixed with `k8s:enc:kms:v1:azurekmsprovider` when KMSv1 is used for encryption, or with `k8s:enc:kms:v2:azurekmsprovider` when KMSv2 is used. This prefix indicates that the data has been encrypted by the Azure KMS provider.\n\n4. Verify the secret is decrypted correctly when retrieved via the Kubernetes API:\n\n   ```bash\n   kubectl get secrets secret1 -o yaml\n   ```\n\n   The output should match `mykey: bXlkYXRh`, which is the encoded data of `mydata`.\n\n## Rotation\n\nRefer to [doc](docs/rotation.md) for steps to rotate the KMS Key on an existing cluster.\n\n## Metrics\nRefer to [doc](docs/metrics.md) for details on the metrics exposed by the KMS Key Vault plugin.\n\n## Contributing\n\nThe KMS Plugin for Key Vault project welcomes contributions and suggestions. Please see [CONTRIBUTING](CONTRIBUTING.md) for details.\n\n## Roadmap\nYou can view the public roadmap for the KMS plugin for Azure KeyVault on the GitHub Project [here](https://github.com/orgs/Azure/projects/440). Note that all target dates are aspirational and subject to change.\n\n## Release\n\nCurrently, this project releases monthly to patch security vulnerabilities, and bi-monthly for new features. We target the **first week** of the month for release.\n\n## Code of conduct\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n\n## Support\n\nKMS Plugin for Key Vault is an open source project that is [**not** covered by the Microsoft Azure support policy](https://support.microsoft.com/en-us/help/2941892/support-for-linux-and-open-source-technology-in-azure). [Please search open issues here](https://github.com/Azure/kubernetes-kms/issues), and if your issue isn't already represented please [open a new one](https://github.com/Azure/kubernetes-kms/issues/new/choose). The project maintainers will respond to the best of their abilities.\n\n[aks]: https://azure.microsoft.com/services/kubernetes-service/\n[encrypting secret data at rest]: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers\n[azure key vault provider for secrets store csi driver]: https://github.com/Azure/secrets-store-csi-driver-provider-azure\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazure%2Fkubernetes-kms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fazure%2Fkubernetes-kms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazure%2Fkubernetes-kms/lists"}