Extend "encrypt-at-rest" to support integration with KMS

[andrey-podko]

What would you like to be added

Would be great to get out-of-box integration with KMSv2 plugins like

• https://github.com/Azure/kubernetes-kms (not perfect, but at least it has releases and official docker images)
• aws-encryption-provider (unfortunately it doesn't have official docker images and end-of-support on July 31, 2025 without update to V2 API SDK)
• https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin ( also doesn't have official docker images, at least public available)

Also would be great to have there convenient support of encryption key rotation instead 1 key for all times ). Unfortunately current implementation overwrites all changes in secrets_encryption.yaml and every cluster update breaks the encrypt-at-rest.

apiServer:
  extraArgs:
    encryption-provider-config-automatic-reload: true

This also can be a good option

KMSv2 is stable since kubernetes 1.29

Why is this needed

That's needed to have possibility of using external encryption keys/services for cases like "someone stole content/backups of etcd/control-plane"

[tico88612]

You can try kube_kubeadm_apiserver_extra_args.

[andrey-podko]

Yes, and it should works, but would be very nice to have it out-of-box, like aes encryption

[tico88612]

If you would like to see this become an option or variable, you (or anyone else) are welcome to open a PR to discuss it with us.