Effective Kubernetes 1.10, a new feature called KMS Encryption Provider lets organizations bring their own KMS (ideally an integrated HSM).
The steps to encrypt Kubernetes secrets with Key(s) stored in Fortanix Self-Defending KMS is described in Kubernetes KMS Plugin for Self-Defending KMS.