Encrypting data at rest is a primary step in securing a Kubernetes cluster. KMS provides an interface for a provider to utilize a key stored in an external key service to perform this encryption. While KMS v1 on AKS enabled the encryption of Kubernetes secrets using a key in Azure Key Vault, it was limited to only supporting encryption of 2000 secrets. To address this limitation, the Azure Container Upstream team, in collaboration with the Kubernetes community, spearheaded the enhancement project. After being part of two Kubernetes releases, this feature has graduated to beta in Kubernetes v1.27. As soon as KMS v2 became beta in v1.27, Microsoft promptly made it available on AKS as one of many security enhancement features available to its users. For a full list of KMSv2 enhancements, check out this Kubernetes blog post.
For clusters at version v1.27+ with KMS newly enabled, KMS v2 is configured by default. However, for clusters with KMS enabled at versions below v1.27, upgrading to v1.27 will be blocked . To upgrade, follow the steps outlined in this documentation for migrating from KMS v1 to v2, and then proceed with upgrading the cluster to version v1.27.
Running your v1.27 AKS cluster with KMS v2 feature enabled, you can now encrypt more than 2000 secrets.
