Cluster Secret Encryption

By default, the Kubernetes data including secrets are not encrypted (secrets are base64 encoded; but not encrypted.) This allows anyone with access to Etcd or the network to access secrets. Kubernetes 1.13 supports an EncryptionConfig to allow configuring keys, or an Key Management Service (KMS), to encrypt data. The EncryptionConfig is defined in a file and passed in to the API server using the --encryption-provider-config flag. This feature will allow users to configure and manage the encryption configuration keys.