Encrypt secrets

Available in VPC

Ncloud Kubernetes Service uses NCP Key Management Service (KMS) and Kubernetes' Encrypting Confidential Data at Rest to encrypt secrets stored in etcd.

Service limits

Supported from Kubernetes version 1.28 or later
- To use clusters in earlier versions than 1.28, you must install the required version using the upgrade function.
Once secret encryption is enabled, it cannot be disabled or changed.

Caution

If you delete the KMS key in use, you cannot recover cluster's secrets.

A key must be generated in NCP KMS.
The key is intended for encryption/decryption (AES-256), and convergent encryption must be disabled
To view KMS key information, you must add the following permissions for the SubAccount.
- Service: Key Management Service
  - Actions: View/getKeyList, View/getKeyInfo

In Ncloud Kubernetes Service > Clusters > Details > Secret Encryption, click the [Set] button.
Select the key to use for Secret Encryption and click the [OK] button.
The cluster status will change to Configuring, and Secret Encryption settings will be applied.
When Secret Encryption settings are complete, the cluster status will change to Running.
For existing clusters with Secret Encryption set, you must re-encrypt existing secrets using the new encryption key.
```
$ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
```

For the KMS key, it is recommended to periodically rotate the key for enhanced security.
If the KMS key is rotated, existing secrets are encrypted with the previous version of the key.
When the KMS key is rotated, newly created secrets are encrypted with the new key, but existing secrets must be re-encrypted.
```
$ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
```