Forum Discussion
AKS on AzureLocal: KMSv1 -> KMSv2
Hey, quick question on AKS Arc — we're running moc-kms-plugin:0.2.172-official on an Arc-enabled AKS cluster on Azure Local and currently have KMSv1=true as a feature gate to keep encryption at rest working.
KMSv1 is deprecated in 1.28+ and we want to migrate to KMSv2 before it gets removed. Since moc-kms-plugin is a Microsoft-managed component we can't just swap it out ourselves.
A few questions:
- Does version 0.2.172 already support the KMSv2 gRPC API, or is that coming in a later release?
- Is there a supported migration path for AKS Arc specifically, or does this come automatically through a platform update?
- Any docs or internal guidance you can point us to?
Thanks!
1 Reply
KMSv1 is deprecated in Kubernetes 1.28+ and disabled by default in 1.29, so migration to KMSv2 is required. The Microsoft‑managed moc-kms-plugin used in AKS Arc on Azure Local is being updated to support the KMSv2 gRPC API, but version 0.2.172-official does not yet expose full KMSv2 functionality. Migration for Arc clusters will come through platform updates rather than manual plugin replacement.
https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/
https://github.com/MicrosoftDocs/azure-stack-docs/blob/main/AKS-Arc/encrypt-etcd-secrets.md
