Skip to main content
MKA1 has active encryption controls in the deployed production environment. We verified encryption at rest for Kubernetes secrets and EBS-backed volumes, and encryption in transit for the public edge and the production CNPG/PostgreSQL cluster.

What is active

Encryption at rest

The following controls were verified in the live production environment:
  • EKS secrets envelope encryption is active on mk1-eks-production.
  • The live EKS cluster reports encryptionConfig for resource type secrets.
  • The live cluster reports a KMS provider key ARN: arn:aws:kms:us-west-2:REDACTED:key/5d84bfa7-REDACTED.
  • The production ebs-sc storage class uses the ebs.csi.aws.com provisioner with encrypted: "true" and type: gp3.
The deployed infrastructure source also declares encrypted EBS-backed storage:
  • infra-resources/mk1/resources/storage/ebs-storage-class.yaml sets encrypted: "true" on ebs-sc.
  • infra-resources/helm/cnpg/kube/cluster-production.yaml uses storageClass: ebs-sc for the production PostgreSQL cluster.

Encryption in transit

The following controls were verified in the live production environment:
  • apigw.mka1.com:443 negotiated TLSv1.3 with cipher suite TLS_AES_128_GCM_SHA256.
  • livekit.mka1.com:443 negotiated TLSv1.3 with cipher suite TLS_AES_128_GCM_SHA256.
  • Both public TLS checks completed with certificate verification OK.
  • The public Kong ingress is configured with alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06.
  • The live CNPG/PostgreSQL cluster reports ssl_min_protocol_version: TLSv1.3 and ssl_max_protocol_version: TLSv1.3.
  • The live CNPG/PostgreSQL cluster reports active certificate material in clientCASecret, serverCASecret, serverTLSSecret, and replicationTLSSecret.
The deployed infrastructure source also declares the public TLS-capable ingress policy:
  • infra-resources/kong/resources/ingress-proxy.yaml sets alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06.

How we validate it

We validate the deployed state with repo-owned scripts in infra-resources and live cluster inspection. tools/compliance/verify_storage_encryption.sh captures storage encryption evidence by running: 
aws eks describe-cluster --name mk1-eks-production --region us-west-2
kubectl get storageclass ebs-sc efs-sc -o yaml
aws efs describe-file-systems --region us-west-2
aws ec2 describe-volumes --region us-west-2 \
  --filters Name=tag:kubernetes.io/created-for/pvc/name,Values='*'
tools/compliance/verify_tls13.sh captures public TLS evidence by running openssl s_client with -tls1_3 against each public endpoint: 
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -brief
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -showcerts

openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -brief
openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -showcerts
We also verify live cluster configuration directly: 
kubectl -n kong get ingress kong-alb-ingress -o yaml
kubectl -n cnpg get cluster -o yaml

Evidence

The following sanitized snippets are excerpted from checks against our live production deployment. They preserve the verified encryption signals and redact unrelated infrastructure details.

EKS secrets envelope encryption

{
  "cluster": {
    "name": "mk1-eks-production",
    "encryptionConfig": [
      {
        "resources": [
          "secrets"
        ],
        "provider": {
          "keyArn": "arn:aws:kms:us-west-2:[redacted-account]:key/[redacted-key-id]"
        }
      }
    ]
  }
}

Encrypted EBS-backed storage class

kind: StorageClass
metadata:
  name: ebs-sc
parameters:
  encrypted: "true"
  type: gp3
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer

Public API gateway TLS 1.3 handshake

Verifying TLS 1.3 for apigw.mka1.com:443
Connecting to [redacted-ip]
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Verification: OK
Peer Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
Verify return code: 0 (ok)

LiveKit TLS 1.3 handshake

Verifying TLS 1.3 for livekit.mka1.com:443
Connecting to [redacted-ip]
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Verification: OK
Peer Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
Verify return code: 0 (ok)

Verified live cluster excerpts

Kong public ingress:
- alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06

CNPG/PostgreSQL:
- ssl_min_protocol_version: TLSv1.3
- ssl_max_protocol_version: TLSv1.3
- clientCASecret: mk1-db-[redacted]
- serverCASecret: mk1-db-[redacted]
- serverTLSSecret: mk1-db-[redacted]
- replicationTLSSecret: mk1-db-[redacted]