Oracle Cloud Infrastructure Documentation

Creating a Kubernetes Cluster with Encrypted Secrets

Learn how to create a Kubernetes cluster with encrypted secrets in the etcd key-value store in OCI.

  • Note

    These instructions assume you have already followed the steps in Encrypting Kubernetes Secrets at Rest in Etcd and created:

    • A dynamic group including all clusters in the compartment
    • A policy to give the dynamic group access to a master encryption key in an OCI vault
    1. Open the navigation menu  and select Developer Services. Under Containers & Artifacts, select Kubernetes Clusters (OKE).
    2. Under List Scope, in the Compartment list, choose the compartment where you want to create a Kubernetes cluster that has Kubernetes secrets encrypted with a Vault service master encryption key.

    3. Select Create Cluster, follow the instructions under Using the Console to create a Cluster with Explicitly Defined Settings in the 'Custom Create' workflow in Creating Kubernetes Clusters Using Console Workflows, and select the Encrypt Using Customer-Managed Keys option.

  • Note

    These instructions assume you have already followed the steps in Encrypting Kubernetes Secrets at Rest in Etcd and created:

    • a dynamic group including all clusters in the compartment
    • a suitable policy to give the dynamic group access to the master encryption key in Vault

    Open a command prompt and run oci ce cluster create to create a cluster where Kubernetes secrets at rest in the etcd data-store are encrypted with a Vault service master encryption key:

    oci ce cluster create --name <cluster_name> --compartment-id <target_compartment_id> --vcn-id <target_vcn_id> --kubernetes-version <kubernetes_version> --kms-key-id <target_key_id>

    For example:

    
oci ce cluster create --name EncryptedCluster --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --vcn-id ocid1.vcn.oc1.iad.exampleexamplesgwertshsdgfy2muagjhrcmzhtp6c5fplejt3miqvyja --kubernetes-version v1.14.8 --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Run the CreateCluster operation for creating kubernetes cluster with encrypted secrets.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.