Support encryption-at-rest for the kube-apiserver

[georgebuckerfield]

This PR adds support for enabling encryption-at-rest for data in etcd, via the kube-apiserver (as per https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data).

I've put the functionality behind a feature flag, +EnableDataEncryption. It can then be enabled per-cluster by using --enable-encryption-config on the command line, or by adding a kubeEncryptionConfig section to the cluster spec. This is passed through to the kube-apiserver by the nodeup process. I'm not sure if this is the best way of doing it right now, but it is working.

Fixes #3356.

[k8s-ci-robot]

@georgebuckerfield: Your pull request title starts with "WIP", so the do-not-merge/work-in-progress label will be added.

This label will ensure that your pull request will not be merged. Remove the prefix from your pull request title to trigger the removal of the label and allow for your pull request to be merged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @georgebuckerfield. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[gambol99]

Not sure the feature flag or cli option is really required; i'm tempted to say we shouldn't encourage creating clusters via cli options, but push for creation via config instead; @justinsb @chrislovecnm .. I'm also guessing the feature requires more config than bool to be useful, i.e. keys ... I think we should drop the reference to etcd as well

[chrislovecnm]

I agree with @gambol99, let's not have a cli option, and remove the etcd verbadge. The users can use manifests or do an edit on the cluster after a create.

I am on the side of not having a featureflag as well.

[gambol99]

can we not wrap all this logic into the kube_apisever builder itself?

[chrislovecnm]

Agreed

[gambol99]

I noticed your add the build here .. there doesn't appear to be a conditional on the role though? .. does the file need to be on masters and nodes?

[gambol99]

I think a general convention ... std lib, local imports and then external .. Could we drop the encryptionconfig import down

[georgebuckerfield]

I can change this, but it doesn't seem to be consistent with the rest of the repo. The convention seems to be: std lib, k8s.io libraries, external libraries e.g. in nodeup/pkg/model/kubeapiserver.go, nodeup/pkg/model/kubecontrollermanager.go etc. Happy to modify if I'm wrong though!

[chrislovecnm]

The imports formatting is not consistent through the project ;( But yes @gambol99 has it correct

[gambol99]

this could probably be a oneliner

return &encryptionconfig.EncryptionConfig{
  Kind:       "EncryptionConfig",
  APIVersion: "v1",
  Resources:  b.Cluster.Spec.KubeEtcdEncryptionConfig.Resources,
}, nil

[gambol99]

i think we can keep this in the componentconfig.go

[gambol99]

same as above

[gambol99]

does this not cause a panic if not set? .. should we check for a nil

[gambol99]

dependent on @justinsb and @chrislovecnm if a feature flag is required

[chrislovecnm]

We can pull it

[gambol99]

tempted to say we wrap this into the KubeAPIServerBuilder

[gambol99]

/assign @gambol99
/assign @justinsb

[georgebuckerfield]

Thanks for the review @gambol99, I'll start addressing these tonight. Going to try and get some tests added as well.

[chrislovecnm]

/ok-to-test

[georgebuckerfield]

/retest

[chrislovecnm]

You have taken in a great, but complex piece of work. Thanks for the help! Appreciate your patience with the PR review process.

Question for yah

[chrislovecnm]

What is this secret used for? Should we have this in a kops secret?

[georgebuckerfield]

That secret is used by the apiserver to encrypt/decrypt the data, so ideally I think it should be a secret/obscured somehow. What makes it tricky is users can specify an arbitrary number of keys for each provider (the apiserver will try them each in order when decrypting), so I'm not quite sure how that will work with kops secrets? I suppose users could create multiple secrets with kops secret create aescbckey key1 c2Vj..., kops secret create aescbckey key1 nf9D..., or something similar. We could then swap in the actual secrets when nodeup runs?

[georgebuckerfield]

Or actually, just store the entire encryptionconfig in a secret? That might simplify things a bit.

[chrislovecnm]

I would store the encryptionconfig in a secret. We just had a PR for docker login perms. Let me find it.

[chrislovecnm]

#3087

[georgebuckerfield]

Ok, so I've refactored this. The process for enabling encryption for a cluster would now be:

• kops create cluster ... as usual
• create a secret containing your encryption config kops create secret encryptionconfig -f config.yaml
• edit the cluster, adding encryptionConfig: true to the cluster spec
• kops update cluster --yes as usual

I'm completely open to renaming the EncryptionConfig field on the cluster spec to something better/more descriptive. Maybe just EncryptionEnabled?

[chrislovecnm]

@gambol99 can you give a review, please? Many changes have been made.

[chrislovecnm]

@georgebuckerfield looks good, if @gambol99 does not get back to you, please reach out. But @gambol99 if available will give it a look.

Again appreciate your patience with this, as this PR went through a few cycles

[georgebuckerfield]

Cheers @chrislovecnm, appreciate your help getting this through!

[gambol99]

@georgebuckerfield @chrislovecnm ... lgtm

[chrislovecnm]

/lgtm

[chrislovecnm]

Sorry, @georgebuckerfield ... can we squash the git commits into reasonable chunks of work or just one commit? One last thing.

[georgebuckerfield]

Yep, @chrislovecnm, I'm working on that now. I've made it slightly complicated for myself by merging in upstream updates halfway through (to resolve a conflict), just sorting that out now.

[georgebuckerfield]

/retest

[chrislovecnm]

@georgebuckerfield restarted the travis build for you

[chrislovecnm]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrislovecnm

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [chrislovecnm]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. .

[elisiano]

Unless I'm miserably failing at searching, I could not find any documentation on how the config file should look like when executing kops create secret encryptionconfig -f config.yaml.

Is there any example available somewhere?

[iMartyn]

Because people will find @elisiano's question and not an answer : https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ covers creating that config.yaml file.

[elisiano]

Thank you @iMartyn !