Managed Kubernetes Encrypted Clusters
UpCloud’s Managed Kubernetes includes encryption-at-rest support for involved storage persistence layers. Users can enable storage encryption in cluster, node group or Persistent Volume basis.
Enabling encryption-at-rest affects storage performance. See encryption-at-rest documentation for more information.
This feature is currently only available over Terraform and API.
Cluster encryption
Cluster-level encryption can only be enabled upon cluster creation. All persistent storage in the
cluster control plane will have encryption-at-rest enabled. Subsequently, all node groups
and Persistent Volumes have encryption-at-rest enabled. Users can opt out of the two by
explicitly creating non-encrypted resources, meaning node groups with encryption disabled and
Persistent Volumes with a non-default storage class (such as upcloud-block-storage-maxiops
).
Use storage_encryption
parameter for upcloud_kubernetes_cluster
resource in Terraform. See Terraform provider documentation for more information.
Node group encryption
For existing clusters, users can opt-in to node-group level encryption by creating a new node group with encryption enabled. This allows mix and matching node groups with varying levels of encryption requirements, on a per-workload basis.
Use storage_encryption
parameter for upcloud_kubernetes_node_group
resource in Terraform. See Terraform provider documentation for more information.
Persistent Volume encryption
The UpCloud CSI driver introduces a storage class upcloud-block-storage-maxiops-encrypted
.
See CSI driver storage encryption tutorial for more information.