Engineering decisions • apiserver is responsible for • DEK generation • Secret en/decryption • kms-plugin • keeps KEK cache • only en/decrypts DEK, not secrets Encryption Workflow Decryption Workflow KMS probe • Monitoring • Integration w/ Prometheus • Metrics including • latency of en/decryption • failure times of en/decryption • KMS health check • Ops tooling • kms-plugin-tools KMS Plugin as a • APIs, logic, iteration plan for developers • Experience for users/operators • TEE as an option, en/disable based on • Hardware configurations • Biz scenarios • Solutions evaluated • Go KMS Plugin

DEK is encrypted with KEK {SECRET}DEK + {DEK}KEK Envelope Source for crypto notation: https://en.wikipedia.org/wiki/Security_protocol_notation KMS 1.10 Envelope Encryption Sequence Master kube-apiserver

Rancher，範圍涵蓋19項關鍵功能，並於報告最後 以表格提供總結分數。Canonical Kubernetes證明成為最具彈性、優勢及成本 效益的發行版本。 1. https://www.gartner.com/en/newsroom/press-releases/2020-06-25-gartner-forecasts-strong-revenue-growth-for-global-co 企業Kubernetes的關鍵考量因素