Merge pull request #39897 from nilekhc/encrypt-all-docs

[KMSv2] docs: updates EncryptionConfiguration doc to add wildcard support to encrypt all resources.
kubernetes · Mar 23, 2023 · f0c2c17 · f0c2c17
2 parents ccfb817 + 1054d0b
commit f0c2c17
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md
@@ -19,6 +19,8 @@ This page shows how to enable and configure encryption of secret data at rest.
 
 * To encrypt a custom resource, your cluster must be running Kubernetes v1.26 or newer.
 
+* Use of wildcard for resource encryption is available from Kubernetes v1.27 or newer.
+
 
 <!-- steps -->
 
@@ -63,6 +65,24 @@ resources:
           keys:
             - name: key1
               secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
+  - resources:
+      - events
+    providers:
+      - identity: {} # do not encrypt events even though  *.* is specified below
+  - resources:
+      - '*.apps'
+    providers:
+      - aescbc:
+          keys:
+          - name: key2
+            secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
+  - resources:
+      - '*.*'
+    providers:
+      - aescbc:
+          keys:
+          - name: key3
+            secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==
 ```
 
 Each `resources` array item is a separate config and contains a complete configuration. The
@@ -84,6 +104,29 @@ resources from storage, each provider that matches the stored data attempts in o
 data. If no provider can read the stored data due to a mismatch in format or secret key, an error
 is returned which prevents clients from accessing that resource.
 
+`EncryptionConfiguration` supports the use of wildcards to specify the resources that should be encrypted.
+Use '`*.<group>`' to encrypt all resources within a group (for eg '`*.apps`' in above example) or '`*.*`'
+to encrypt all resources. '`*.`' can be used to encrypt all resource in the core group. '`*.*`' will
+encrypt all resources, even custom resources that are added after API server start. 
+
+{{< note >}} Use of wildcards that overlap within the same resource list or across multiple entries are not allowed
+since part of the configuration would be ineffective. The `resources` list's processing order and precedence
+are determined by the order it's listed in the configuration. {{< /note >}}
+
+Opting out of encryption for specific resources while wildcard is enabled can be achieved by adding a new
+`resources` array item with the resource name, followed by the `providers` array item with the `identity` provider.
+For example, if '`*.*`' is enabled and you want to opt-out encryption for the `events` resource, add a new item
+to the `resources` array with `events` as the resource name, followed by the providers array item with `identity`.
+The new item should look like this:
+
+```yaml
+- resources:
+    - events
+  providers:
+    - identity: {}
+```
+Ensure that the new item is listed before the wildcard '`*.*`' item in the resources array to give it precedence.
+
 For more detailed information about the `EncryptionConfiguration` struct, please refer to the
 [encryption configuration API](/docs/reference/config-api/apiserver-encryption.v1/).