Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3299-kms-v2-improvements #3302

Merged
merged 21 commits into from
Jun 17, 2022
Merged

3299-kms-v2-improvements #3302

merged 21 commits into from
Jun 17, 2022

Conversation

ritazh
Copy link
Member

@ritazh ritazh commented May 9, 2022
edited
Loading

Signed-off-by: Rita Zhang rita.z.zhang@gmail.com

One-line PR description: Introduce KMS v2alpha1 API to add performance, rotation, and observability improvements

Issue link: #3299

Other comments:

NOTE: The observability part of this KEP has been reviewed and approved for alpha as part of KEP #3133. The old KEP has been marked as replaced as part of this KEP PR.

FYI @ibihim @aramase @dgrisonnet

@ritazh
3299-kms-v2-improvements
b0345e6 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 9, 2022
@k8s-ci-robot k8s-ci-robot requested a review from enj May 9, 2022 16:09
@k8s-ci-robot k8s-ci-robot added the kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory label May 9, 2022
@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label May 9, 2022
@ritazh
Copy link
Member Author

ritazh commented May 9, 2022

/assign @enj @smarterclayton @deads2k

Mo and Clayton PTAL at the KEP details. David PTAL at the PRR details.

aramase and others added 2 commits May 9, 2022 17:23
@aramase
chore: add sequence diagram for encrypt and decrypt request
9cbc4c7 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@ritazh
Merge pull request #1 from aramase/3299-kms-v2
a7dde44 
chore: add sequence diagram for encrypt and decrypt request
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 9, 2022
enj
enj reviewed May 9, 2022
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM for alpha.

keps/sig-auth/3299-kms-v2-improvements/README.md Outdated Show resolved Hide resolved
keps/sig-auth/3299-kms-v2-improvements/README.md Show resolved Hide resolved
@ritazh
Address comments
fbbe62a 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
@ritazh ritazh mentioned this pull request May 10, 2022
Closed
@ritazh
Update cipher to ciphertext, plain to plaintext
2ea5c24 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
@aramase
chore: use snake case for non-generated proto API
b4a4b95 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase aramase mentioned this pull request May 18, 2022
Merged
@ritazh
Merge pull request #2 from aramase/3299-kms-v2
6d3d847 
chore: use snake case for non-generated proto API
@ritazh
Scope rotation to a single api server
31634ad 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
@aramase
add comments for encrypted object (#5)
6f80e8e 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 14, 2022
deads2k
deads2k reviewed Jun 14, 2022
View reviewed changes
keps/sig-auth/3299-kms-v2-improvements/README.md Outdated

###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?

Yes, via the `KMSv2` feature gate. Disabling this gate without first doing a storage migration to use a different encryption at rest mechanism will result in data loss.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's more than data loss right, the server would not understand the encryption configuration and I would expect it to fail to start.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are adding a new APIVersion field in the KMS configuration which can be used to indicate v2 API. When the KMSv2 feature gate is disabled, any kms provider that is configured for v2 in the KMS configuration will not take effect because all the code is behind the feature gate. So, this would only result in data loss because existing encrypted data can't be decrypted but the KMS configuration would still load fine.

cc @enj @ritazh to add anything I missed here

@aramase
add additional prr questions (#6)
ebedb57 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
deads2k
deads2k reviewed Jun 15, 2022
View reviewed changes
keps/sig-auth/3299-kms-v2-improvements/README.md Outdated
https://github.com/kubernetes/kubernetes/pull/97058/files#diff-7826f7adbc1996a05ab52e3f5f02429e94b68ce6bce0dc534d1be636154fded3R246-R282
-->

N/A. When the feature is disabled, data stored in etcd will no longer be encrypted using the external kms provider with v2 API
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to know the failure mode of servers if the feature is disabled improperly and I think a manual test to confirm it does what is expected is appropriate.

https://github.com/kubernetes/enhancements/pull/3302/files/6f80e8efe18e3371053baaa746585515d981c5d3..ebedb576fc274999f95e53c65f33457472f314cc#r897206805

deads2k
deads2k reviewed Jun 15, 2022
View reviewed changes
keps/sig-auth/3299-kms-v2-improvements/README.md Outdated

###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?

Yes, via the `KMSv2` feature gate. Disabling this gate without first doing a storage migration to use a different encryption at rest mechanism will result in data loss.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you expand this section with specifics about how to properly disable? I think they need to create a new KMS configuration, reload it, do a read/write cycle, then remove the v2 configuration. Missing any step results in either a process that doesn't start or a server that cannot read secrets, rigth?

aramase and others added 2 commits June 15, 2022 22:20
@aramase
add steps for disabling feature
93dff58 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@ritazh
Merge pull request #7 from aramase/rollback-comments
fecf9a7 
add steps for disabling feature
@deads2k
Copy link
Contributor

deads2k commented Jun 16, 2022

The PRR should help someone reason about what will happen to their cluster if the KMS integration breaks for some reason (imagine a corrupted config you don't notice, followed by a crash. does it restart?). After that, the PRR lgtm.

@aramase
add more details for livez and readyz
a0405db 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase aramase mentioned this pull request Jun 16, 2022
Merged
@ritazh
Merge pull request #8 from aramase/add-readyz-healthz
43a2a55 
add more details for livez and readyz
@deads2k
Copy link
Contributor

deads2k commented Jun 17, 2022

the PRR and design lgtm

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, ritazh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 17, 2022
@enj
Copy link
Member

enj commented Jun 17, 2022

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 17, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 17, 2022
@k8s-ci-robot k8s-ci-robot merged commit 798e155 into kubernetes:master Jun 17, 2022
@ritazh ritazh deleted the 3299-kms-v2 branch June 21, 2022 15:35
@ritazh ritazh mentioned this pull request Jun 21, 2022
Closed
@aramase aramase mentioned this pull request Jul 14, 2022
Merged
@ritazh ritazh mentioned this pull request Jul 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aramase aramase aramase left review comments

@deads2k deads2k deads2k left review comments

@enj enj enj left review comments

@mikedanese mikedanese mikedanese left review comments

Assignees

@mikedanese mikedanese

@enj enj

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
SIG Auth
Archived in project
Milestone
v1.25
Development

Successfully merging this pull request may close these issues.
6 participants
@ritazh @enj @aramase @mikedanese @deads2k @k8s-ci-robot