You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: keps/sig-auth/3299-kms-v2-improvements/README.md
+11-2
Original file line number
Diff line number
Diff line change
@@ -399,7 +399,14 @@ No. The v2 API is new in the v1.25 release.
399
399
400
400
###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
401
401
402
-
Yes, via the `KMSv2` feature gate. Disabling this gate without first doing a storage migration to use a different encryption at rest mechanism will result in data loss.
402
+
Yes, To disable encryption at rest using the v2 API:
403
+
1. Disable encryption at rest with KMS provider by running through these [steps](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#disabling-encryption-at-rest)
404
+
1. At the end of this step, all the data in etcd will be unencrypted.
405
+
2. Disable the `KMSv2` feature gate.
406
+
407
+
Disabling this gate without first doing a storage migration to use a different encryption at rest mechanism will result in data loss.
408
+
409
+
Once the feature gate is disabled, if the plan is to use a different encryption at rest mechanism instead of KMS, then unset the `--encryption-provider-config` flag on the kube-apiserver.
403
410
404
411
###### What happens if we reenable the feature if it was previously rolled back?
405
412
@@ -422,7 +429,8 @@ You can take a look at one potential example of such test in:
N/A. When the feature is disabled, data stored in etcd will no longer be encrypted using the external kms provider with v2 API
432
+
- When the feature is disabled, data stored in etcd will no longer be encrypted using the external kms provider with v2 API.
433
+
- If the feature is disabled incorrectly (i.e without performing a storage migration), existing data that is encrypted with the external kms provider will be unable to be decrypted. This will cause list and get operations to fail for the resources that were encrypted.
426
434
427
435
### Rollout, Upgrade and Rollback Planning
428
436
@@ -534,6 +542,7 @@ No.
534
542
- This feature is part of API server. The feature is unavailable if API server is unavailable.
535
543
- ETCD data encryption with external kms-plugin is unavailable
536
544
- If the API server is unavailable, clients will be unable to create/get data that's stored in etcd. There will be no requests from the API server to the kms-plugin.
545
+
- If the `EncryptionConfiguration` configured in the API server is not valid and the API server is restarted, it'll fail health check (same behavior as today).
0 commit comments