Add encryption providers proposal #1213
Conversation
kubermatic-bot
added
release-note-none
kubermatic-bot
added
size/M
|
/lgtm |
|
LGTM label has been added. Git tree hash: b7ac88af2bee1fd2c1a40cdd0c3e142f4c387e6a
|
|
LGTM label has been added. Git tree hash: b7ac88af2bee1fd2c1a40cdd0c3e142f4c387e6a
|
kubermatic-bot
added
the
approved
|
/hold |
kubermatic-bot
added
the
do-not-merge/hold
| kind: KubeOneCluster | ||
| features: | ||
| encryptionProviders: | ||
| enabled: true |
There was a problem hiding this comment.
Keeping in mind future API extensions that will be inevitably required, simple boolean flag is not enough. Flags are needed per provider type, and not only flags but possible config options too.
So we are looking at 3 possible providers:
- none
- static (the one for being implemented now)
- kms (the one for being implemented later)
Those should be expressed as additional objects inside encryptionProviders, like
#### VERY DRAFT, MUCH FANTASY ####
####### only for demo purpose #######
apiVersion: kubeone.io/v1beta1
kind: KubeOneCluster
features:
encryptionProviders:
- kind: none
- kind: static
- kind: kms
endpoint: unix:///tmp/socketfile.sock
cachesize: 100
timeout: 3s
Alternatively, we could not reimplement parts of what's already done in upstream and "just" provide the
apiVersion: kubeone.io/v1beta1
kind: KubeOneCluster
features:
encryptionConfiguration: |
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: myKmsPlugin
endpoint: unix:///tmp/socketfile.sock
cachesize: 100
timeout: 3s
- identity: {}
Given that second option, we can actually extract the endpoint from KMS providers and automatically mount them to the kube-apiserver pod ( with extra mounts in kubeadm config).
Provided that we can detect changes in encryptionConfiguration (compare actual file to encryptionConfiguration`, we can automate and orchestrate kubeapi pod restarts.
There was a problem hiding this comment.
Providing ONLY encryptionConfiguration we could give all encryption options to the end user, including KMS support in one shot.
There was a problem hiding this comment.
I agree with what @kron4eg said, but in that case, I'd leave the enable field in the API and implement it like @moelsayed initially proposed. For example:
features:
encryptionProviders:
# enable/disable
enable: true
# setting this value will disable automated rotation.
customProviderFile: |
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
...The difference between the originally proposed API and this API is that I've removed the rotate field. Instead of the rotate field, we would keep the CLI flag as it's currently proposed.
- If
enableis set tofalse- Do nothing if the feature has never been enabled
- Otherwise, disable the feature
- If
enableis set totrue:- If
customProviderFileis not set, generate it ourselves and handle key management - If
customProviderFileis set, upload it to the instance. Additionally, if KMS is configured, create the appropriate volumes on the API server pods - Configure the API server and everything else as described in the proposal
- If
Note: if customProviderFile is set and the CLI flag is set, KubeOne would either show a warning or fail.
In this case, we can quickly implement support for all setups. Technically, users could use Terraform/Ansible to deploy KMS and with such API, they could actually use it in their clusters. I think that it wouldn't require too much additional effort on our side, but we could solve everything (besides deploying KMS, which should be discussed) in a single run.
There was a problem hiding this comment.
@kron4eg @xmudrii I updated the proposal accordingly. Please check.
For the initial implementation, I will stop at implementing the the custom config basic functionality. I will create a new issue/PR to address deploying the KMS and creating the required volume mounts for the API server. I am considering that out of scope for the initial implementation.
There was a problem hiding this comment.
@moelsayed Can you create an Epic for this?
There was a problem hiding this comment.
@moelsayed I was thinking about an Epic for addressing the KMS deployment and the volume creation. You can also extend the current Epic. I only see issues relevant to the initial implementation in the Epic, but please correct me if I'm wrong.
There was a problem hiding this comment.
What happens if:
enable: true, but nocustomProviderFileis given (e.g. it's empty)?enable: true, but nocustomProviderFileis given and install/apply is run, and thencustomProviderFilebecomes defined?
There was a problem hiding this comment.
enable: true, but no customProviderFile is given (e.g. it's empty)?
We manage everything automatically. A new config file is created and pushed to the nodes. In this case key rotation is supported.
enable: true, but no customProviderFile is given and install/apply is run, and then customProviderFile becomes defined?
K1 should push the defined custom file but it will refuse to the rotate the keys if the rotate flag is set.
kron4eg
removed
approved
kubermatic-bot
added
approved
kubermatic-bot
added
the
size/L
| kind: KubeOneCluster | ||
| features: | ||
| encryptionProviders: | ||
| enabled: true |
There was a problem hiding this comment.
@moelsayed Can you create an Epic for this?
|
LGTM label has been added. Git tree hash: 7a63f9e46ff8cf0819386706364abef0ed49d909
|
|
/hold cancel |
kubermatic-bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kron4eg, moelsayed, xmudrii The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* upstream/master: (21 commits) Improve the installation script (kubermatic#1253) Update README.md (kubermatic#1250) Add the changelog for the v1.2.0-beta.1 release (kubermatic#1249) Fix credentials in addons (kubermatic#1248) fix(docs): fix broken master documentation link (kubermatic#1246) Add encryption providers proposal (kubermatic#1213) Use Docker for restarting API server on Flatcar (kubermatic#1245) Add the Kubernetes 1.20 jobs (kubermatic#1244) Restart unhealthy API servers when provisioning/upgrading clusters (kubermatic#1243) Add rsync on CentOS and Amazon Linux (kubermatic#1240) Update machine-controller to v1.25.0 (kubermatic#1238) Update the kubeone-e2e image (kubermatic#1239) Update KubeOne CI jobs (kubermatic#1237) Disallow and deprecate the PodPresets feature (kubermatic#1236) Fix confusing default in OpenIDConnect (kubermatic#1235) Add debian support (kubermatic#1233) Drop mounting flexvolume plugins into the openstack CCM (kubermatic#1234) Remove CoreOS (kubermatic#1232) Add the changelog for the v1.2.0-beta.0 release (kubermatic#1230) Add containerRuntime API to the full config (kubermatic#1229) ...
What this PR does / why we need it:
A proposal draft to add Encryption Providers support in KubeOne.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #1212
Special notes for your reviewer:
Does this PR introduce a user-facing change?: