Encrypt etcd secrets for Azure Kubernetes Service clusters

Applies to: AKS on Azure Stack HCI 22H2, AKS on Windows Server

This article describes how to monitor and troubleshoot the encryption of etcd secrets for Azure Kubernetes Service (AKS) management clusters and workload clusters in AKS enabled by Azure Arc.

A secret in Kubernetes is an object that contains a small amount of sensitive data, such as passwords and SSH keys. In the Kubernetes API server, secrets are stored in etcd, which is a highly available key values store used as the Kubernetes backing store for all cluster data. AKS Arc comes with encryption of etcd secrets and automates the management and rotation of encryption keys.

Monitor and troubleshoot

To simplify application deployment on Kubernetes clusters, review the documentation and scripts.

• To set up logging using Elasticsearch, Fluent Bit, and Kibana, follow the steps to install the tools and set up logging.
• To use the monitoring tool Prometheus, follow the steps to install Prometheus in a Kubernetes cluster.

Note

You can find the logs on the control plane node under /var/log/pods.

Next steps

• Deploy a Linux application on a Kubernetes cluster
• Deploy a Windows Server application on a Kubernetes cluster
• Encrypting secret data at rest
• Using a KMS provider for data encryption