Shalanki Gupta
Reputation: 131
Kubernetes Application Level Encryption on GKE
I aim to enable Application Level Encryption on my GKE cluster. I am using a custom service account (with required permissions to Encrypt/Decrypt a KMS key) to create this cluster, but it still asks me to grant Encrypt/Decrypt permissions to my Kubernetes service agent account(SA that gets created when you enable the Kubernetes API on the GCP project).
Error: The service-xxxxxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com service account does not have permissions to encrypt/decrypt with the selected key.
Upvotes: 0
Views: 263
Answers (1)
Patrick W
Reputation: 4909
This is required because the master will also need to be able to decrypt. There is no way for you to use your custom service account on the GKE master node.
Upvotes: 2
Related Questions
- Application on GKE - some modification needed
- Kubernetes Encryption Configuration
- How to setup GKE Cluster and GKE pods has to communicate with cloud sql and cloud sql password stored on google cloud secret manager
- Kubernetes secrets encryption
- How to enable Application layer secrets encryption in GKE cluster with terraform?
- Grant permission to use the key in GKE
- GKE: secured access to services from outside the cluster
- How to try "Encrypt secret data at rest" feature in GKE
- How to set GOOGLE_APPLICATION_CREDENTIALS on GKE running through Kubernetes
- Use gcloud self encrypted disk with Kubernetes