Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to migrate to KMS v2 for clusters with versions older than 1.27. Beginning in AKS version 1.27, turning on the KMS feature configures KMS v2. With KMS v2, you aren't limited to the 2,000 secrets that earlier versions support. For more information, see KMS v2 improvements.
Important
If your cluster version is older than 1.27 and you already turned on KMS, the upgrade to cluster version 1.27 or later is blocked.
Turn off KMS
Disable KMS on an existing cluster using the
az aks updatecommand with the--disable-azure-keyvault-kmsparameter.az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --disable-azure-keyvault-kmsUpdate all secrets using the
kubectl get secretscommand to ensure the secrets created earlier are no longer encrypted. For larger clusters, you might want to subdivide the secrets by namespace or create an update script. If the previous command to update KMS fails, still run the following command to avoid unexpected state for KMS plugin.kubectl get secrets --all-namespaces -o json | kubectl replace -f -
Upgrade your AKS cluster and turn on KMS
Upgrade your AKS cluster to version 1.27 or later using the
az aks upgradecommand with the--kubernetes-versionparameter set to your desired version. The following example upgrades to version1.27.1:az aks upgrade --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --kubernetes-version 1.27.1Once the upgrade completes, you can turn on KMS for a public or private key vault using one of the following resources:
Update all secrets using the
kubectl get secretscommand to ensure the secrets created earlier are no longer encrypted. For larger clusters, you might want to subdivide the secrets by namespace or create an update script. If the previous command to update KMS fails, still run the following command to avoid unexpected state for KMS plugin.kubectl get secrets --all-namespaces -o json | kubectl replace -f -
Next steps
For more information on using KMS with AKS, see the following articles: