New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support a Vault based KMS provider for envelope encryption of resources in a cluster #49817

Closed
kksriram opened this Issue Jul 28, 2017 · 31 comments

Comments

Projects
None yet
@kksriram

kksriram commented Jul 28, 2017

Resources (not just secrets) in a Kubernetes cluster can be encrypted using an envelope encryption scheme with the DEK being encrypted with a KEK that is managed in Vault.

Add support for using Hashicorp Vault as a KMS provider to manage KEKs.

Would address several concerns discussed in the issues referenced:

  • Reuse Vault already in use in an enterprise to additionall manage KEKs for K8S clusters.
  • KEK is externalized and managed in the KMS provider, adding to the security of the overall deployment.
  • Separate cluster mangement responsibilities from key management/administration, better reflecting Ops, SecOps separations.

Design Proposal. Discussed at sig-auth July 26.

Alpha release Target 1.8 ?

Relies on support added via PRs

Roadmap

Related Issues

/kind feature

@kubernetes/sig-auth

/sig auth

/assign @vineet-garg

@kksriram

This comment has been minimized.

kksriram commented Jul 28, 2017

@kubernetes/sig-auth

@kksriram

This comment has been minimized.

kksriram commented Jul 28, 2017

/sig auth

@sakshamsharma

This comment has been minimized.

Member

sakshamsharma commented Jul 28, 2017

Closely related changes, how to integrate KMS: #49742

@deads2k deads2k added this to the v1.8 milestone Aug 3, 2017

@kksriram

This comment has been minimized.

kksriram commented Aug 10, 2017

Proposal PR : kubernetes/community#888

@ericchiang

This comment has been minimized.

Member

ericchiang commented Aug 29, 2017

@kubernetes/sig-auth-feature-requests going to move this to the 1.9 milestone per our SIG auth meeting.

@luxas

This comment has been minimized.

Member

luxas commented Sep 29, 2017

This is part of beta graduation requirements in that case #51965
I'd be a bit hesitant to add many more providers... See the discussion in #48574

@deads2k

This comment has been minimized.

Contributor

deads2k commented Oct 2, 2017

This is part of beta graduation requirements in that case #51965
I'd be a bit hesitant to add many more providers... See the discussion in #48574

We spoke in sig-auth and sig-apimachinery. We'll be adding this as another example of building a KMS plugin to gain more experience with the API. After we have those two examples, we'll be more competent to shape an external API that is likely to work.

@kksriram

This comment has been minimized.

kksriram commented Oct 6, 2017

/priority important-soon

@kksriram

This comment has been minimized.

kksriram commented Oct 9, 2017

/kind feature

@kksriram

This comment has been minimized.

kksriram commented Oct 9, 2017

@deads2k @ericchiang @liggitt Need your help setting the milestones label, please. I don't have privileges.

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Oct 9, 2017

[MILESTONENOTIFIER] Milestone Issue Current

@kksriram

Issue Labels
  • sig/auth: Issue will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the issue owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/feature: New functionality.
Help
@dims

This comment has been minimized.

Member

dims commented Nov 16, 2017

@kksriram will this make 1.9? (am usually help with bug triage etc before releases in case you are wondering why :)

@dims

This comment has been minimized.

Member

dims commented Nov 16, 2017

/assign @kksriram

@kksriram

This comment has been minimized.

kksriram commented Nov 16, 2017

@dims considering the change in direction to out of tree in #55684 I don't expect this will make 1.9.

@luxas luxas modified the milestones: v1.9, v1.10 Nov 16, 2017

@mfilotto

This comment has been minimized.

mfilotto commented Feb 1, 2018

@kksriram do you think it will be ready for 1.10 ?

@kksriram

This comment has been minimized.

kksriram commented Feb 1, 2018

@mfilotto Not sure. The approach proposed for this issue assumed an in-tree provider. The agreement at sig-auth and sig-api-machinery at the end of 1.9 was to have all future KMS providers be out-of-tree. We're working on implementing that for 1.10 via #51965 and the corresponding implementation in #55684 . With that direction, we are discussing a couple of ways forward for this issue

  • Revise this proposal so it becomes an out-of-tree provider for Vault.
  • separately build a Vault provider implementation for #55684. That likely, will live in some other Git repo and will definitely not be in kubernetes/kubernetes.

Will keep this updated as we discuss and decide. I'll update next week if this will not make 1.10.

@jberkus

This comment has been minimized.

jberkus commented Feb 21, 2018

@kksriram will this make 1.10? if so, please approve-for-milestone, otherwise please bump it to 1.11. Thanks!

@deads2k

This comment has been minimized.

Contributor

deads2k commented Feb 22, 2018

Since we merged the grpc kms provider, I think this can be closed.

@kksriram

This comment has been minimized.

kksriram commented Feb 26, 2018

@deads2k beat me to it. I meant to close this because I don't think this will ship as part of Kubernetes. Given the support added via #51965 and the corresponding PR #55684, we will work offline to figure out how best to release the Vault KMS provider that implements the gRPC interface in #55684.

@alonbl

This comment has been minimized.

alonbl commented Jun 5, 2018

Hi,
Anyone knows if there is a standalone KMS plugin for HashiCorp Vault?
I see there is for GCP and Azure, but I cannot find vault.
Thanks!

@dims

This comment has been minimized.

Member

dims commented Jun 5, 2018

@alonbl looks like @kksriram has an implementation here - oracle#4

@alonbl

This comment has been minimized.

alonbl commented Jun 5, 2018

@dims it looks like this is not a standalone module, but the old implementation of merging into k8s codebase.

@kksriram

This comment has been minimized.

kksriram commented Jun 5, 2018

@alonbi
We expect to release a standalone version in a couple of weeks

@alonbl

This comment has been minimized.

alonbl commented Jun 5, 2018

@kksriram thanks! if possible please paste here the URL of the repo :)

@mfilotto

This comment has been minimized.

mfilotto commented Jun 25, 2018

Awesome @kksriram, looking forward to see this coming.

@ssboisen

This comment has been minimized.

ssboisen commented Jul 12, 2018

Hi @kksriram any progress on making the vault KMS plugin standalone? Thanks for working on this!

@kksriram

This comment has been minimized.

kksriram commented Jul 12, 2018

We should have something next week. Will update here with a link

@kksriram

This comment has been minimized.

kksriram commented Jul 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment