[WIP] Adding support for encrypted container images #78975
Conversation
|
Welcome @harche! |
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
Hi @harche. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
area/kubectl
area/kubelet
area/test
kind/api-change
|
"I signed it" |
k8s-ci-robot
added
cncf-cla: yes
|
/assign @derekwaynecarr @liggitt |
|
/joke |
|
@harche Which version of |
CRI->containerd is yet to support the decryption in their upstream. Although I have a working POC of CRI-Containerd as well as CRI-O, they both won't be able to merge my changes because they vendor k8s APIs which need modification for this to work. So as soon as we have the code in k8s merged, I can submit the PRs for CRI-Containerd as well CRI-O to support this feature by updating their respective vendor directories from k8s that handle CRI interface. Once the CRI interface in k8s gets updated to pass decryption keys to runtimes, adding support in the runtimes should fairly simple, including docker. For your reference this is how it's supposed to work, I gave the example of CRI-O in that diagram but you can very well replace with any runtime that implements CRI interface. |
|
Gotcha. Thanks @harche |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
k8s-ci-robot
added
the
needs-rebase
|
@harche: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks @duyanghao. The article talks about the work I did with @lumjjb on adding decryption capabilities in CRIO using the keys available on the worker node. This code change is about adding the decryption capabilities in kubernetes by adding the new secret type to hold the required private keys. However, based on this comment, we are trying add the image encryption/decryption support in other container related projects to increase the adoption. Such as, containers/skopeo#732 Apart from these, we are in talks with Quay registry folks to add the support for encrypted images. Hoping to get that through soon. |
@harche Thanks for your reply, I still have some questions about your work: |
|
Hi @duyanghao, thanks for your interest in our work! Here is some more information, but would be glad to chat offline to hear some of the usecases and plans.
We have an ongoing offering that will be using this technology that is going to be available in the later half of this year. We have plans to work with the IBM IKS team to get this integrated this year as well. The feature should also be available in OpenShift 4.4 when they start using k8s >=1.17.
This would be made first available with kubernetes 1.17 (through cri-o 1.17 and the respective containerd cri version), without any changes in kubernetes, so if I were to put a label on it, it would be alpha. But containerd and cri-o doesn't officially have any special labeling on the feature. Also, just to clarify, there are two models of using encrypted images with kubernetes, what is do-able today with containerd/cri and cri-o is independent of this KEP. This KEP is an effort to provide the ability to have stronger multitenancy using encrypted images. |
|
@lumjjb Thanks for your reply
It seems that I can now use the kubernetes(>=1.17) and docker(containerd) to achieve image encryption&decryption with the model independent of this KEP, but is there any official kubernetes documents about how to use it besides this article? |
For containerd, it is currently pending on this PR, which is waiting on 1 more approval. The actual doc that will merge with this is: https://github.com/containerd/cri/blob/de21864c7684ddbb9c72c22769d704ed0d42cbbf/docs/encryption.md I think @Random-Liu can probably shed a bit more light on timeline and containerd release cycles. |
That article talks about the threat model where you only trust the worker nodes of your k8s cluster (but not other components, like api server, docker registry etc). It requires that the decryption keys are kept on the target worker node. The support for this is already present in upstream in CRIO. So you might have to use CRIO instead of Containerd with your k8s setup. You don't need to change anything in k8s for this to work. We are also hoping to get our changes merged soon in CRI-Containerd too. As Brandon mentioned, the code in this KEP is part of the effort to provide stronger multi-tenancy using encrypted images. In this the kubernetes api server and worker nodes are both trusted entities (but docker registry is not). But as I mentioned earlier, this code is not upstreamed yet. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds support for upcoming encryption support for container images
Which issue(s) this PR fixes:
Fixes kubernetes/enhancements#1067
Special notes for your reviewer:
This is still a work-in-progress. We are on the verge of getting OCI spec followed by the support in containerd for encrypted images merged.
Does this PR introduce a user-facing change?: yes