存資料，控制權受到限制。因此，這些資安團隊發現很 難遵守相關的資安政策與法規命令。 解決方案：CipherTrust Transparent Encryption for Kubernetes CipherTrust Transparent Encryption for Kubernetes 提供用於加密、存取控制和資料存取日誌記錄的容器內核 功能，使企業能夠對Kubernetes 環境中的資料建立堅實 都統一經由 CipherTrust Manager 集中管理。 優勢 CipherTrust Transparent Encryption for Kubernetes 效益有 : • 合規性 - CipherTrust Transparent Encryption 的這 項擴充，解決了保護機敏資料的合規要求與法規命令， 例如支付卡、健康照護紀錄或者其他機敏資產。 • 防止受到特權用戶的威脅 Transparent Encryption for Kubernetes 都將實現強 大的資料安全政策。無需對應用程式、容器或基礎架構 進行任何變更的情況下，企業可以選擇部署並使用容器 以提高成本效益、控制或效能。 CipherTrust Transparent CipherTrust Transparent Encryption for Kubernetes Encryption for Kubernetes

secrets Encryption Always encrypt before writing to disk Rotation Change a secret regularly in case of compromise Isolation Separate where secrets are used vs managed Encryption at different different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then tries to decrypt it https://xkcd.com/538/, https://xkcd.com/license document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: 3.6.4 Cryptographic key changes for keys that have

base64 encoded) • > K8s 1.7+ • at-rest encryption for etcd (local + remote) Local Encryption Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets storage in etcd • Secrets decrypted on API Server prior to use • Encryption keys stored in a remote KMS • Use envelope encryption scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance (KMS plugin) compromise Ø leak DEKs Ø leak KEKs [1] KubeCon NA 2019: "TEE-based KMS Plugin for encryption of Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address

有关在federated cluster中部署Ingress的详细信息，请参阅federation doc 。 Future Work 各种模式的HTTPS/TLS⽀持（例如：SNI、re-encryption） 通过声明请求IP或主机名 结合L4和L7 Ingress 更多Ingress Controllers 请追踪 L7 and Ingress proposal （L7和Ingres