Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
p
prehistoric-furniture-82015
04/11/2023, 5:23 PMWhats the value of encrypting secrets with the AES-CBC provider when the encryption key secret is stored in plaintext?
As far as I can tell, that is the default behaviour for RKE2?
c
creamy-pencil-82913
04/11/2023, 5:42 PMthey’re encrypted at rest, so not retrievable from an etcd snapshot, or by someone who gains direct access to the etcd datastore. Not without the key at least.
There is no support for storing the key in anything other than plaintext. That is just how the non-HSM encryption providers work.
p
prehistoric-furniture-82015
04/11/2023, 5:49 PMi see, that makes sense, but if the host node persistent storage hardware is compromised then secrets are also compromised, correct?
we are actually trying to set up harvester with KMS provider, but so far couldn't get it to work.
c
creamy-pencil-82913
04/11/2023, 5:53 PMif someone compromises the servers then yes, it is game over for your cluster as a whole.
that is true regardless of whether you use secrets encryption though. even if you use KMS, someone can just use kubectl to dump all the secrets out.
p
prehistoric-furniture-82015
04/11/2023, 5:54 PMjust to clearify, i meant compromise the storage devices, not a live server. As all volatile memory is gone.
c
creamy-pencil-82913
04/11/2023, 5:54 PMwhat do you mean by “storage devices”, and how are you using them.
p
prehistoric-furniture-82015
04/11/2023, 5:55 PMas in harddrives. if at the end of the lifecycle we dispose of the harddrives. The data on them should not be decipherable.
c
creamy-pencil-82913
04/11/2023, 5:58 PM… you should always scrub your devices before getting rid of them, this doesn’t change that any. The servers (by necessity) have a copy of all the CA private keys, secrets encryption config, admin credentials, and so on. There’s no getting around that, at some point you need to store privileged data on disk as part of the system configuration.
Many companies crush or shred their server disks instead of selling them as surplus because they don’t want to worry about it. But again this is not a concern unique to RKE2 or any other Kubernetes distro.
p
prehistoric-furniture-82015
04/11/2023, 6:08 PMyes, i agree, we are not planning to sell the device, but still we don't want to rely on that process alone. Also there is the scenario of theft of the physical device. WE also may be looking at cases where we repurpose the hardware internally.
Regarding the TLS private keys, are stored as kubernetes secrets?
someone can just use kubectl to dump all the secrets out.But would that require that they can get behind the firewall before we invalidate cluster access for the node by rotating the certificates.
c
creamy-pencil-82913
04/11/2023, 6:32 PMno, the private keys exist outside the cluster. They are the keys for the Kubernetes internal PKI
That content also applies to RKE2, we just haven’t got around to migrating the content to the rke2 docs yet.
p
prehistoric-furniture-82015
04/11/2023, 8:18 PMokay makes sense, thank you. So reading that content, if I understand it correctly, if we provide a custom root-ca, and then rotate the ca any servers that where the ca wasn't rotated will permanently loose access.
So that combined with using a KMS, and volume encryption, means we can can permanently lock out a node from a cluster render all its data as useless.
Or we could we could use an external etcd.
c
creamy-pencil-82913
04/11/2023, 8:51 PMI would personally just burn the cluster if you have a server node compromised. Cattle not pets. Don’t make your life more complicated than it needs to be.
p
prehistoric-furniture-82015
04/12/2023, 7:26 AMthat works too, although much harder to execute, especially as the size of the cluster grows, but the data stored on the persistent volumes (harvester - longhorn) still needs to be encrypted and there should be no key on the same disk.