Closed
Description
Enhancement Description
- One-line enhancement description (can be used as a release note): Introduce KMS v2alpha1 API to add performance, rotation, and observability improvements
- Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements
- Discussion Link:
- 3299-kms-v2-improvements #3302
- Sig Auth meetings for 20220608: https://youtu.be/SNnvZVvk5VQ
- Primary contact (assignee): @ritazh @aramase
- Responsible SIGs: sig-auth
- Enhancement target (which target equals to which milestone):
- Alpha release target (x.y): 1.25
- Beta release target (x.y): 1.27
- Stable release target (x.y): 1.29
- Alpha
- KEP (
k/enhancements
) update PR(s): - Code (
k/k
) update PR(s): - Docs (
k/website
) update PR(s):
- KEP (
- Beta
- KEP (
k/enhancements
) update PR(s): - Code (
k/k
) update PR(s):- kmsv2: implement expire cache with clock kubernetes#113121
- [KMSv2] Use status key ID to determine staleness of encrypted data kubernetes#114544
- kmsv2: add grpc service kubernetes#114678
- [KMSv2] apiserver/kmsv2: mv Service interface into kmsv2 kubernetes#114922
- [KMSv2] Generate proto API and update feature gate for beta kubernetes#115123
- [KMSv2] store hash of encrypted DEK as key in cache kubernetes#115350
- kmsv2: add metrics kubernetes#115394
- [KMSv2] Add metrics for grpc service kubernetes#115649
- [KMSv2] implement local KEK service kubernetes#115677
- [KMSv2] Add kind cluster and encryption config for e2e kubernetes#115714
- [KMSv2] Implement local KEK generation and rotation kubernetes#115814
- kmsv2: add metrics for invalid_key_id_from_status_total kubernetes#115846
- [KMSv2] restructure kms staging dir kubernetes#115938
- [KMSv2] update
kms_operations_latency_seconds
metric bucket range kubernetes#115947 - [kmsv2] feat: add kms mock plugin for e2e tests kubernetes#116022
- kmsv2: add mock kms for reference implementation kubernetes#116031
- [KMSv2] remove setting
dek_cache_inter_arrival_time_seconds
for KMSv2 only kubernetes#116053 - [KMSv2] log request metadata as part of read/write kubernetes#116055
- [KMSv2] update ci script to create cluster and gather metrics kubernetes#116148
- kmsv2: re-use DEK while key ID is unchanged kubernetes#116155
- kmsv2: improve test coverage kubernetes#116202
- [KMSv2] use encDEK, keyID and annotations to generate cache key kubernetes#116345
- [KMSv2] fix: increases timeout to avoid flake kubernetes#116626
- [KMSv2] remove key hierarchy in reference implementation kubernetes#116630
- Docs (
k/website
) update PR(s):
- KEP (