New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encryption at rest KMS integration #460

Open
jcbsmpsn opened this Issue Sep 26, 2017 · 32 comments

Comments

Projects
None yet
@jcbsmpsn
Member

jcbsmpsn commented Sep 26, 2017

Feature Description

  • One-line feature description (can be used as a release note): Data encryption at rest using Google KMS as an encryption provider.
  • Primary contact (assignee): @jcbsmpsn
  • Responsible SIGs: sig-auth
  • Design proposal link (community repo): kubernetes/community#1134
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • Approver (likely from SIG/area to which feature belongs):
  • Feature target (which target equals to which milestone):
    • Alpha release target (1.9)
    • Beta release target (1.12)
    • Stable release target (?.?)
@idvoretskyi

This comment has been minimized.

Show comment
Hide comment
@idvoretskyi

idvoretskyi Sep 26, 2017

Member

@jcbsmpsn @kubernetes/sig-auth-feature-requests can you describe us why the feature has been proposed only today (less than in 24 hours before the release cut), and why it hasn't been discussed before during the release cycle?

cc @jdumars

Member

idvoretskyi commented Sep 26, 2017

@jcbsmpsn @kubernetes/sig-auth-feature-requests can you describe us why the feature has been proposed only today (less than in 24 hours before the release cut), and why it hasn't been discussed before during the release cycle?

cc @jdumars

@jdumars

This comment has been minimized.

Show comment
Hide comment
@jdumars
Member

jdumars commented Sep 26, 2017

@jcbsmpsn

This comment has been minimized.

Show comment
Hide comment
@jcbsmpsn

jcbsmpsn Sep 26, 2017

Member

@idvoretskyi This issue is for 1.10, two cycles out. The 1.8 related code was merged alpha associated with this proposal. There is enough work associated with this feature that we want it to have it's own issue going forward.

I've updated the description to say the alpha release target is 1.9, to avoid any confusion.

Member

jcbsmpsn commented Sep 26, 2017

@idvoretskyi This issue is for 1.10, two cycles out. The 1.8 related code was merged alpha associated with this proposal. There is enough work associated with this feature that we want it to have it's own issue going forward.

I've updated the description to say the alpha release target is 1.9, to avoid any confusion.

@idvoretskyi

This comment has been minimized.

Show comment
Hide comment
@idvoretskyi

idvoretskyi Sep 26, 2017

Member

@jcbsmpsn much clearer now. Thanks

Member

idvoretskyi commented Sep 26, 2017

@jcbsmpsn much clearer now. Thanks

@idvoretskyi idvoretskyi added this to the 1.9 milestone Sep 26, 2017

@luxas

This comment has been minimized.

Show comment
Hide comment
@luxas

luxas Sep 29, 2017

Member

Do you have a plan how to address kubernetes/kubernetes#51965 which is a beta graduation requirement?
I hope we don't go ahead and add many of these into core as they should be ripped out anyway.

Member

luxas commented Sep 29, 2017

Do you have a plan how to address kubernetes/kubernetes#51965 which is a beta graduation requirement?
I hope we don't go ahead and add many of these into core as they should be ripped out anyway.

@deads2k

This comment has been minimized.

Show comment
Hide comment
@deads2k

deads2k Oct 2, 2017

Do you have a plan how to address kubernetes/kubernetes#51965 which is a beta graduation requirement?
I hope we don't go ahead and add many of these into core as they should be ripped out anyway.

We need more than one significant example to design a good external API. We're going to move forward with kubernetes/community#888 to gain that experience and then the next one will have enough examples to draw upon for a reasonable external API attempt.

deads2k commented Oct 2, 2017

Do you have a plan how to address kubernetes/kubernetes#51965 which is a beta graduation requirement?
I hope we don't go ahead and add many of these into core as they should be ripped out anyway.

We need more than one significant example to design a good external API. We're going to move forward with kubernetes/community#888 to gain that experience and then the next one will have enough examples to draw upon for a reasonable external API attempt.

@luxas

This comment has been minimized.

Show comment
Hide comment
@luxas

luxas Oct 2, 2017

Member

@deads2k So the proposal is:
Google KMS v1.8, Vault v1.9 => alpha, in-tree
Generic out-of-tree interface v1.10 => beta

  • In-tree providers (Google KMS, Vault) are removed from core and converted to implement the generic interface in their respective homes (code-wise).

That sounds good to me

Member

luxas commented Oct 2, 2017

@deads2k So the proposal is:
Google KMS v1.8, Vault v1.9 => alpha, in-tree
Generic out-of-tree interface v1.10 => beta

  • In-tree providers (Google KMS, Vault) are removed from core and converted to implement the generic interface in their respective homes (code-wise).

That sounds good to me

@cjcullen

This comment has been minimized.

Show comment
Hide comment
@cjcullen
Member

cjcullen commented Jan 3, 2018

@bgrant0607

This comment has been minimized.

Show comment
Hide comment
@bgrant0607

bgrant0607 Feb 26, 2018

Member

@kubernetes/sig-auth-feature-requests @kksriram Someone please update the schedule for this feature.

Member

bgrant0607 commented Feb 26, 2018

@kubernetes/sig-auth-feature-requests @kksriram Someone please update the schedule for this feature.

@kksriram

This comment has been minimized.

Show comment
Hide comment
@kksriram

kksriram Feb 26, 2018

@jcbsmpsn Did you mean for this to specifically track an integration that enables use of Google's KMS to encrypt secrets at rest?

#51965 outlined a proposal for abstracting KMS providers and #55684 implemented as an alpha feature in 1.10 that generic interface.

If this is specific to using Google KMS, then perhaps @immutableT this is the issue tracking your implementation of the #55684 provider for Google KMS? In any case, would that implementation ship with Kubernetes?

kksriram commented Feb 26, 2018

@jcbsmpsn Did you mean for this to specifically track an integration that enables use of Google's KMS to encrypt secrets at rest?

#51965 outlined a proposal for abstracting KMS providers and #55684 implemented as an alpha feature in 1.10 that generic interface.

If this is specific to using Google KMS, then perhaps @immutableT this is the issue tracking your implementation of the #55684 provider for Google KMS? In any case, would that implementation ship with Kubernetes?

@immutableT

This comment has been minimized.

Show comment
Hide comment
@immutableT

immutableT Feb 26, 2018

@kksriram Implementation of Google KMS gRPC Plugin will not ship with Kubernetes, instead, it will be made available in a separate repo under GoogleCloudPlatform.

immutableT commented Feb 26, 2018

@kksriram Implementation of Google KMS gRPC Plugin will not ship with Kubernetes, instead, it will be made available in a separate repo under GoogleCloudPlatform.

@rawkode

This comment has been minimized.

Show comment
Hide comment
@rawkode

rawkode Mar 29, 2018

@immutableT Does that GCP repository exist / is public yet?

rawkode commented Mar 29, 2018

@immutableT Does that GCP repository exist / is public yet?

@immutableT

This comment has been minimized.

Show comment
Hide comment
@immutableT

immutableT Mar 29, 2018

Yes,
https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin/

I will be adding deployment instructions soon (after 61862 is approved).

immutableT commented Mar 29, 2018

Yes,
https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin/

I will be adding deployment instructions soon (after 61862 is approved).

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Apr 17, 2018

Member

@cjcullen @bgrant0607 @kksriram @kubernetes/sig-auth-feature-requests
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

Member

justaugustus commented Apr 17, 2018

@cjcullen @bgrant0607 @kksriram @kubernetes/sig-auth-feature-requests
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@ritazh

This comment has been minimized.

Show comment
Hide comment
@ritazh

ritazh May 7, 2018

Kubernetes KMS Plugin for Azure Key Vault: https://github.com/Azure/kubernetes-kms
cc @khenidak

ritazh commented May 7, 2018

Kubernetes KMS Plugin for Azure Key Vault: https://github.com/Azure/kubernetes-kms
cc @khenidak

@enj

This comment has been minimized.

Show comment
Hide comment
@enj

enj May 11, 2018

Member

Citadel: Turn an arbitrary command into a Kubernetes Key Management Service GRPC server

https://github.com/enj/citadel

Kubernetes SIG Auth 2018-04-04 Demo (~6 minutes): https://youtu.be/2zJf_g0PJ6s

@npmccallum

Member

enj commented May 11, 2018

Citadel: Turn an arbitrary command into a Kubernetes Key Management Service GRPC server

https://github.com/enj/citadel

Kubernetes SIG Auth 2018-04-04 Demo (~6 minutes): https://youtu.be/2zJf_g0PJ6s

@npmccallum

@mayakacz

This comment has been minimized.

Show comment
Hide comment
@mayakacz

mayakacz Jun 21, 2018

Hi - checking in, I believe this is currently in Alpha in 1.10. Will this go Beta in 1.11?

mayakacz commented Jun 21, 2018

Hi - checking in, I believe this is currently in Alpha in 1.10. Will this go Beta in 1.11?

@dims

This comment has been minimized.

Show comment
Hide comment
@dims

dims Jun 21, 2018

Member

@mayakacz nope, it did not make Beta in 1.11 please see kubernetes/kubernetes#61420

Member

dims commented Jun 21, 2018

@mayakacz nope, it did not make Beta in 1.11 please see kubernetes/kubernetes#61420

@justaugustus justaugustus removed this from the v1.9 milestone Jul 1, 2018

@kksriram

This comment has been minimized.

Show comment
Hide comment
@kksriram

kksriram commented Jul 25, 2018

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Jul 30, 2018

Member

This feature current has no milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

  • One-line feature description (can be used as a release note):
  • Primary contact (assignee):
  • Responsible SIGs:
  • Design proposal link (community repo):
  • Link to e2e and/or unit tests:
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • Approver (likely from SIG/area to which feature belongs):
  • Feature target (which target equals to which milestone):
    • Alpha release target (x.y)
    • Beta release target (x.y)
    • Stable release target (x.y)

Set the following:

  • Description
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

Once this feature is appropriately updated, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12.


Please note that Features Freeze is tomorrow, July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

P.S. This was sent via automation

Member

justaugustus commented Jul 30, 2018

This feature current has no milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

  • One-line feature description (can be used as a release note):
  • Primary contact (assignee):
  • Responsible SIGs:
  • Design proposal link (community repo):
  • Link to e2e and/or unit tests:
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • Approver (likely from SIG/area to which feature belongs):
  • Feature target (which target equals to which milestone):
    • Alpha release target (x.y)
    • Beta release target (x.y)
    • Stable release target (x.y)

Set the following:

  • Description
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

Once this feature is appropriately updated, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12.


Please note that Features Freeze is tomorrow, July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

P.S. This was sent via automation

@mayakacz

This comment has been minimized.

Show comment
Hide comment
@mayakacz

mayakacz Jul 31, 2018

Will this make it to Beta in 1.12?
From sig-auth on 7/11, it sounded like this was missing (1) a release shepherd and (2) feedback on implementation.
(1) Is anyone owning pushing this forward?
(2) We now have several implementations:

Thanks!

mayakacz commented Jul 31, 2018

Will this make it to Beta in 1.12?
From sig-auth on 7/11, it sounded like this was missing (1) a release shepherd and (2) feedback on implementation.
(1) Is anyone owning pushing this forward?
(2) We now have several implementations:

Thanks!

@mikedanese mikedanese added stage/beta and removed stage/alpha labels Jul 31, 2018

@mikedanese mikedanese added this to the v1.12 milestone Jul 31, 2018

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Jul 31, 2018

Member

I'm tentatively adding beta to v1.12 milestone.

Member

mikedanese commented Jul 31, 2018

I'm tentatively adding beta to v1.12 milestone.

@dims

This comment has been minimized.

Show comment
Hide comment
@dims

dims Jul 31, 2018

Member

@mayakacz we have someone looking into possibly adding a kms provider using OpenStack Barbican kubernetes/cloud-provider-openstack#44

Member

dims commented Jul 31, 2018

@mayakacz we have someone looking into possibly adding a kms provider using OpenStack Barbican kubernetes/cloud-provider-openstack#44

@kacole2

This comment has been minimized.

Show comment
Hide comment
@kacole2

kacole2 Aug 1, 2018

Contributor

@mikedanese @dims I've added this to the 1.12 tracking sheet.
@justaugustus please assign the appropriate labels

Contributor

kacole2 commented Aug 1, 2018

@mikedanese @dims I've added this to the 1.12 tracking sheet.
@justaugustus please assign the appropriate labels

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus
Member

justaugustus commented Aug 4, 2018

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus
Member

justaugustus commented Aug 4, 2018

/assign @jcbsmpsn

@zparnold

This comment has been minimized.

Show comment
Hide comment
@zparnold

zparnold Aug 20, 2018

Member

Hey there! @jcbsmpsn I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

Member

zparnold commented Aug 20, 2018

Hey there! @jcbsmpsn I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Sep 5, 2018

Member

@jcbsmpsn @cjcullen --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

Member

justaugustus commented Sep 5, 2018

@jcbsmpsn @cjcullen --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese
Member

mikedanese commented Sep 7, 2018

Here's the docs PR:

kubernetes/website#10230

cc @immutableT

@ameukam

This comment has been minimized.

Show comment
Hide comment
@ameukam

ameukam Oct 5, 2018

Hi folks,
Kubernetes 1.13 is going to be a 'stable' release since the cycle is only 10 weeks. We encourage no big alpha features and only consider adding this feature if you have a high level of confidence it will make code slush by 11/09. Are there plans for this enhancement to graduate to beta/stable within the 1.13 release cycle? If not, can you please remove it from the 1.12 milestone or add it to 1.13?

We are also now encouraging that every new enhancement aligns with a KEP. If a KEP has been created, please link to it in the original post. Please take the opportunity to develop a KEP.

ameukam commented Oct 5, 2018

Hi folks,
Kubernetes 1.13 is going to be a 'stable' release since the cycle is only 10 weeks. We encourage no big alpha features and only consider adding this feature if you have a high level of confidence it will make code slush by 11/09. Are there plans for this enhancement to graduate to beta/stable within the 1.13 release cycle? If not, can you please remove it from the 1.12 milestone or add it to 1.13?

We are also now encouraging that every new enhancement aligns with a KEP. If a KEP has been created, please link to it in the original post. Please take the opportunity to develop a KEP.

@kacole2

This comment has been minimized.

Show comment
Hide comment
@kacole2

kacole2 Oct 8, 2018

Contributor

@cjcullen @jcbsmpsn just checking in on @ameukam's post if this plans to graduate for 1.13.

This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:

  • Docs (open placeholder PRs): 11/8
  • Code Slush: 11/9
  • Code Freeze Begins: 11/15
  • Docs Complete and Reviewed: 11/27
Contributor

kacole2 commented Oct 8, 2018

@cjcullen @jcbsmpsn just checking in on @ameukam's post if this plans to graduate for 1.13.

This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:

  • Docs (open placeholder PRs): 11/8
  • Code Slush: 11/9
  • Code Freeze Begins: 11/15
  • Docs Complete and Reviewed: 11/27

@kacole2 kacole2 added tracked/no and removed tracked/yes labels Oct 8, 2018

@kacole2

This comment has been minimized.

Show comment
Hide comment
@kacole2

kacole2 Oct 15, 2018

Contributor

/milestone clear

Contributor

kacole2 commented Oct 15, 2018

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.12 milestone Oct 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment