Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check secret count against KMS cache size #77

Closed
ArchangelSDY opened this issue Oct 28, 2022 · 1 comment
Closed

Check secret count against KMS cache size #77

ArchangelSDY opened this issue Oct 28, 2022 · 1 comment
Assignees
@bjqian
Labels
enhancement New feature or request

Comments

@ArchangelSDY
Copy link
Contributor

Background

Self-managed clusters can have encryption-at-rest enabled and have KMS installed. However, do to design limitations in KMS v1, when secrets count exceeds KMS cache size, the performance of secret listing can be significantly impacted due to KeyVault throttling. We need a check to warn user about this risk.

Design

  1. Check if we're on a master node of a self-managed cluster.
  2. Check API server arguments to see if KMS is enabled: --encryption-provider-config
  3. Check cache size in KMS config.
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - kms:
          name: myKmsPluginFoo
          endpoint: unix:///tmp/socketfile.sock
          cachesize: 100
          timeout: 3s
      - kms:
          name: myKmsPluginBar
          endpoint: unix:///tmp/socketfile.sock
          cachesize: 100
          timeout: 3s
  1. List secrets and check the number. If it exceeds 80% for KMS cache size, emit a warning.
@ArchangelSDY ArchangelSDY added the enhancement New feature or request label Oct 28, 2022
@bjqian
Copy link
Contributor

bjqian commented Dec 8, 2022

Looks interesting.

@bjqian bjqian self-assigned this Dec 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bjqian bjqian

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ArchangelSDY @bjqian