Setting up a key management service (KMS) provider

Virtual Private Cloud Classic infrastructure Satellite

You can protect Kubernetes secrets and any credentials stored in your secrets by enabling a key management service (KMS) provider, such as IBM® Key Protect for IBM Cloud® or Hyper Protect Crypto Services.

Do not delete root keys in your KMS instance, even if you rotate to a new key. If you delete a root key that a cluster uses, the cluster becomes unusable, loses all its data, and can't be recovered. Similarly, if you disable a root key, operations that rely on reading secrets fail. Unlike deleting a root key, however, you can reenable a disabled key to make your cluster usable again.

Before you can enable a key management service (KMS) provider in your cluster, you must first create a KMS instance and a root key.

1. Create an instance of the KMS provider that you want to use.

   • Key Protect.
   • Hyper Protect Crypto Services.

2. Create a root key in your KMS instance.

   • Key Protect root key.
   • Hyper Protect Crypto Services root key. By default, the root key is created without an expiration date.

   Key Protect: Need to set an expiration date to comply with internal security policies? Create the root key by using the API and include the expirationDate parameter. Important: Before your root key expires, repeat these steps to update your cluster to use a new root key. When a root key expires, the cluster secrets can't be decrypted and your cluster becomes unusable. Depending on the cluster version, the time lapse between the root key expiring and the cluster no longer being able to decrypt secrets might be about an hour, or when the master is refreshed.

3. Check that you have the required service authorization policies in IBM Cloud IAM. Navigate to the service authorizations page in the console and look for an authorization with the Source service specified as Kubernetes service, the Target service specified as your KMS provider (such as Key Protect), and the Target account specified as the account the cluster resides in. If you do not see the service authorization, create it by following these steps:

   • Required service access policy for Kubernetes Service and the KMS provider
     1. Set the Source account for This account if the cluster you want to authorize accessing KMS resides in the current account, otherwise if the cluster located under a different account, select Other account and provide the account ID.
     2. Set the Source service to Kubernetes Service.
     3. Set the Target service to your KMS provider, such as Key Protect.
     4. Include at least Reader service access.
     5. Enable the authorization to be delegated by the source and dependent services.

4. Make sure that you have the correct permissions in IBM Cloud Identity and Access Management (IAM) to enable KMS in your cluster.

   • Ensure that you have the Administrator IBM Cloud IAM platform access role for the cluster.
   • Ensure that the API key owner of the API key that is set for the region and resource group that your cluster is in has the correct permissions for the KMS provider.
     • For example, to create an instance and root key, you need at least the Editor platform and Writer service access roles for your KMS provider.
     • If you plan to use an existing KMS instance and root key, you need at least the Viewer platform and Reader service access roles for your KMS provider.

5. Optional Complete the following additional steps if you plan to set up worker node disk encryption for a VPC cluster.

6. Create a cluster and enable secret encryption.