-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
False
-
0
-
0%
-
Undefined
-
-
-
Proposed title of this feature request:
To be able to encrypt ETCD with SecretBox
What is the nature and description of the request?
To be able to use more than one encryption in etcd, as currently, only aescbc is supported.
Why does the customer need this? (List the business requirements here)
AES-CBC does not authenticate data and is known to be vulnerable to padding oracle attacks. While these are not currently feasible attacks against Kubernetes, CBC is risky and a strictly worse option than Secretbox and KMS
{{}}
Similar use case for KMS: https://issues.redhat.com/browse/RFE-1783
List any affected packages or components.
- etcd & apiserver.