Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow encryption for all resources #115149

Merged
merged 1 commit into from Mar 9, 2023
Merged

Allow encryption for all resources #115149

merged 1 commit into from Mar 9, 2023

Conversation

nilekhc
Copy link
Contributor

@nilekhc nilekhc commented Jan 18, 2023
edited by k8s-ci-robot

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes # #111977

Special notes for your reviewer:

Does this PR introduce a user-facing change?

The API server's encryption at rest configuration now allows the use of wildcards in the list of resources.  For example, '*.*' can be used to encrypt all resources, including all current and future custom resources.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/test kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 18, 2023
@nilekhc
Copy link
Contributor Author

nilekhc commented Jan 18, 2023

/sig auth

/cc @enj @ritazh @aramase

@k8s-triage-robot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

enj
enj suggested changes Jan 18, 2023
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drop the first commit since these do not appear to conflict.

staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go Outdated Show resolved Hide resolved
test/integration/controlplane/transformation/kms_transformation_test.go Outdated Show resolved Hide resolved
test/integration/controlplane/transformation/kms_transformation_test.go Outdated Show resolved Hide resolved
test/integration/controlplane/transformation/kms_transformation_test.go Outdated Show resolved Hide resolved
test/integration/controlplane/transformation/kms_transformation_test.go Outdated Show resolved Hide resolved
test/integration/controlplane/transformation/kms_transformation_test.go Outdated Show resolved Hide resolved
@enj
Copy link
Member

enj commented Jan 19, 2023

/kind api-change

@liggitt this PR proposes adding encryption support for all resources without any schema changes by interpreting *.* to mean all groups and all resources (*.apps is currently not supported but would mean "all resources in the apps group"). The structure and ordering of the current EncryptionConfiguration format makes this hard to support with any other resources being specified, so currently validation will fail if any other resource is specified with *.*. This makes it impossible to opt any resource out of encryption, which is really meh. Thoughts?

@cici37
Copy link
Contributor

cici37 commented Jan 19, 2023

/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jan 19, 2023
@liggitt
Copy link
Member

liggitt commented Jan 20, 2023

@liggitt this PR proposes adding encryption support for all resources without any schema changes by interpreting *.* to mean all groups and all resources (*.apps is currently not supported but would mean "all resources in the apps group"). The structure and ordering of the current EncryptionConfiguration format makes this hard to support with any other resources being specified, so currently validation will fail if any other resource is specified with *.*. This makes it impossible to opt any resource out of encryption, which is really meh. Thoughts?

If the format is <resource>.<group>, allowing *.<group> and *.* seems sensible

For the "encrypt everything in API group foo except resource bar" use case, I think it's ok to require enumerating the resources they want to encrypt.

I would suggest normalizing items that don't contain a . (items in the core API group) to append a .

Questions:

  • do we currently allow both secrets and secrets. to be in the list? what happens?
  • would we allow *. to mean "encrypt all resources in the core API group?
  • what currently happens if you say to encrypt events and events.events.k8s.io differently?

@k8s-ci-robot k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jan 24, 2023
@nilekhc
Copy link
Contributor Author

nilekhc commented Jan 24, 2023

@liggitt

  • do we currently allow both secrets and secrets. to be in the list? what happens?

Both are acceptable and encryption works as expected.

  • would we allow *. to mean "encrypt all resources in the core API group?

Yes. We plan to add such additional support/validations down the line based on the feedback.

@nilekhc
Copy link
Contributor Author

nilekhc commented Jan 24, 2023

/retest

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 7, 2023
@enj
Copy link
Member

enj commented Mar 7, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 7, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: bb3bb3ef6e23e4d66d5183733ca1ac392ea5c3e1

@nilekhc
Copy link
Contributor Author

nilekhc commented Mar 8, 2023

/retest

@valaparthvi
Copy link

Hi @nilekhc. I am from the Bug triage shadow team for K8s release 1.27. I am checking in to make sure this PR is on track for 1.27 release.

Please note that Code Freeze begins on March 15, post this date, only critical and release-blocker issues/PRs will be accepted.

@enj
Copy link
Member

enj commented Mar 8, 2023

/release-note-edit

The API server's encryption at rest configuration now allows the use of wildcards in the list of resources.  For example, '*.*' can be used to encrypt all resources, including all current and future custom resources.

@nilekhc
Copy link
Contributor Author

nilekhc commented Mar 8, 2023

/assign @liggitt

liggitt
liggitt reviewed Mar 8, 2023
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
return identity.NewEncryptCheckTransformer()
}

func grYAMLString(gr schema.GroupResource) string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

producing "yaml" strings is weird... is this only used for error messages? if so, can we skip the single-quote wrapping and just quote the values in the messages using %q?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's primarily for handling *. case. String method of schema.GroupResource parses it to * instead of *.

if gr.Group == "" && gr.Resource == "*" {
   return "'*.'"
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, a tweak to emit *. is fine, but drop the single-quote wrapping

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@liggitt liggitt added this to API review completed, 1.27 in API Reviews Mar 8, 2023
@liggitt
Copy link
Member

liggitt commented Mar 8, 2023

API bits lgtm, one comment on the yaml stringer, then lgtm

@nilekhc
feat: implements encrypt all
9382fab 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2023
@k8s-ci-robot k8s-ci-robot requested review from enj and liggitt March 8, 2023 22:19
@nilekhc
Copy link
Contributor Author

nilekhc commented Mar 8, 2023

API bits lgtm, one comment on the yaml stringer, then lgtm

Thanks for the review. I have updated it. PTAL when you get a chance.

cc @enj

@liggitt
Copy link
Member

liggitt commented Mar 8, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 09348e636a5c2b2002d09553baae28fcd8af82c0

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, liggitt, nilekhc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 8, 2023
@nilekhc
Copy link
Contributor Author

nilekhc commented Mar 8, 2023

/retest

@k8s-ci-robot k8s-ci-robot merged commit 30ee691 into kubernetes:master Mar 9, 2023
@nilekhc nilekhc deleted the encrypt-all branch March 9, 2023 00:56
@enj enj mentioned this pull request Mar 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aramase aramase Awaiting requested review from aramase

@ritazh ritazh Awaiting requested review from ritazh

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@enj enj Awaiting requested review from enj

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
API Reviews
Status: API review completed, 1.27
SIG Auth
Archived in project
SIG Auth: KMS v2
Status: Done
[sig-release] Bug Triage
Archived in project
Milestone
v1.27
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@nilekhc @k8s-triage-robot @enj @cici37 @liggitt @fedebongio @k8s-ci-robot @valaparthvi