Commit Graph

55 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
50070e664b
Merge pull request #116626 from nilekhc/fix-kmsv2-healthz-flake
[KMSv2] fix: increases timeout to avoid flake
2023-03-14 20:28:34 -07:00
Kubernetes Prow Robot
15040e1c86
Merge pull request #115123 from aramase/v2beta1
[KMSv2] Generate proto API and update feature gate for beta
2023-03-14 19:26:25 -07:00
Nilekh Chaudhari
c09aa7dead
fix: increases timeout to avoid flake
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
2023-03-15 00:18:58 +00:00
Anish Ramasekar
ad698cc0ae
[KMSv2] Generate proto API and update feature gate for beta
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2023-03-14 23:18:16 +00:00
Antonio Ojea
23252d70b4 add integration test 2023-03-14 22:58:11 +00:00
Monis Khan
832d6f0e19
kmsv2: re-use DEK while key ID is unchanged
This change updates KMS v2 to not create a new DEK for every
encryption.  Instead, we re-use the DEK while the key ID is stable.

Specifically:

We no longer use a random 12 byte nonce per encryption.  Instead, we
use both a random 4 byte nonce and an 8 byte nonce set via an atomic
counter.  Since each DEK is randomly generated and never re-used,
the combination of DEK and counter are always unique.  Thus there
can never be a nonce collision.  AES GCM strongly encourages the use
of a 12 byte nonce, hence the additional 4 byte random nonce.  We
could leave those 4 bytes set to all zeros, but there is no harm in
setting them to random data (it may help in some edge cases such as
live VM migration).

If the plugin is not healthy, the last DEK will be used for
encryption for up to three minutes (there is no difference on the
behavior of reads which have always used the DEK cache).  This will
reduce the impact of a short plugin outage while making it easy to
perform storage migration after a key ID change (i.e. simply wait
ten minutes after the key ID change before starting the migration).

The DEK rotation cycle is performed in sync with the KMS v2 status
poll thus we always have the correct information to determine if a
read is stale in regards to storage migration.

Signed-off-by: Monis Khan <mok@microsoft.com>
2023-03-14 10:23:50 -04:00
Nilekh Chaudhari
9382fab9b6
feat: implements encrypt all
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
2023-03-08 22:18:49 +00:00
Yuan Chen
a24aef6510 Replace a function closure
Replace more closures with pointer conversion

Replace deprecated Int32Ptr to Int32
2023-02-27 09:13:36 -08:00
Anish Ramasekar
c9b8ad6a55
[KMSv2] restructure kms staging dir
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2023-02-21 22:40:25 +00:00
Anish Ramasekar
de3b2d525b
[KMSv2] Add metrics for grpc service
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2023-02-09 18:51:37 +00:00
Nilekh Chaudhari
b3f326722d
chore: improves tests
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
2023-01-30 23:18:14 +00:00
Anish Ramasekar
4804baa011
kmsv2: implement expire cache with clock
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2023-01-25 22:50:32 +00:00
Kubernetes Prow Robot
285e7969b2
Merge pull request #114544 from ritazh/kmsv2-keyid-staleness
[KMSv2] Use status key ID to determine staleness of encrypted data
2023-01-19 10:28:16 -08:00
Rita Zhang
510ac9b391
kmsv2: use status key ID to update staleness of encrypted data
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
2023-01-19 08:09:24 -08:00
Kubernetes Prow Robot
46f3821bf4
Merge pull request #114586 from andrewsykim/apiserver-lease-rename
Rename apiserver identity lease labels to apiserver.kubernetes.io/identity
2023-01-17 21:36:34 -08:00
Krzysztof Ostrowski
b7701b00ea
apiserver/kmsv2: mv Service interface into kmsv2
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
2023-01-17 10:05:16 +01:00
Andrew Sy Kim
a7de3e15a5 apiserver: use the identity value in the apiserver identity hash
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2023-01-13 16:20:14 -05:00
Andrew Sy Kim
fb066a883d apiserver: update lease identity prefix from kube-apiserver- to apiserver-
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2023-01-13 15:37:22 -05:00
Andrew Sy Kim
423539cf96 test/integration/controlplane: add new apiserver identity test TestLeaseGarbageCollectionWithDeprecatedLabels
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2023-01-13 15:37:22 -05:00
TommyStarK
9e885bce35 test/integration: Replace deprecated pointer function
Signed-off-by: TommyStarK <thomasmilox@gmail.com>
2023-01-05 18:38:40 +01:00
Monis Khan
cb3410e1b7
kms: use different context for server lifecycle and initial load
Signed-off-by: Monis Khan <mok@microsoft.com>
2022-11-16 16:44:23 -05:00
Kubernetes Prow Robot
e62cfabf93
Merge pull request #112050 from nilekhc/kms-hot-reload
Implements hot reload of the KMS `EncryptionConfiguration`
2022-11-08 17:24:12 -08:00
Nilekh Chaudhari
761b7822fc
feat: implements kms encryption config hot reload
This change enables hot reload of encryption config file when api server
flag --encryption-provider-config-automatic-reload is set to true. This
allows the user to change the encryption config file without restarting
kube-apiserver. The change is detected by polling the file and is done
by using fsnotify watcher. When file is updated it's process to generate
new set of transformers and close the old ones.

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
2022-11-08 21:47:59 +00:00
Andrew Sy Kim
c2d387ce54 test/integration/controlplane: update APIServerIdentity tests to use public lease parameter vars
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2022-11-07 19:42:05 -05:00
Kubernetes Prow Robot
3d5725d9c0
Merge pull request #113649 from andrewsykim/apiserver-identity-hash
apiserver identity : use SHA256 hash in lease names
2022-11-07 11:20:49 -08:00
Kubernetes Prow Robot
b1dd1cd2f1
Merge pull request #113529 from enj/enj/i/kms_single_healthz
kms: add wiring to support automatic encryption config reload
2022-11-07 11:20:42 -08:00
Monis Khan
22e540bc48
kms: add wiring to support automatic encryption config reload
This change adds a flag --encryption-provider-config-automatic-reload
which will be used to drive automatic reloading of the encryption
config at runtime.  While this flag is set to true, or when KMS v2
plugins are used without KMS v1 plugins, the /healthz endpoints
associated with said plugins are collapsed into a single endpoint at
/healthz/kms-providers - in this state, it is not possible to
configure exclusions for specific KMS providers while including the
remaining ones - ex: using /readyz?exclude=kms-provider-1 to exclude
a particular KMS is not possible.  This single healthz check handles
checking  all configured KMS providers.  When reloading is enabled
but no KMS providers are configured, it is a no-op.

k8s.io/apiserver does not support dynamic addition and removal of
healthz checks at runtime.  Reloading will instead have a single
static healthz check and swap the underlying implementation at
runtime when a config change occurs.

Signed-off-by: Monis Khan <mok@microsoft.com>
2022-11-07 12:03:18 -05:00
Andrew Sy Kim
5b3a9e2d75 apiserver identity : use SHA256 hash in lease names
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2022-11-07 12:02:57 -05:00
Andrew Sy Kim
f74f819e1a apiserver identity: update Lease creation integration test to validate new naming format and hostname label
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2022-11-03 22:53:56 -04:00
Rita Zhang
c3df726c7b
Enable encryption for custom resources
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
2022-10-26 13:37:11 -07:00
Monis Khan
f507bc2553
Load encryption config once
This change updates the API server code to load the encryption
config once at start up instead of multiple times.  Previously the
code would set up the storage transformers and the etcd healthz
checks in separate parse steps.  This is problematic for KMS v2 key
ID based staleness checks which need to be able to assert that the
API server has a single view into the KMS plugin's current key ID.

Signed-off-by: Monis Khan <mok@microsoft.com>
2022-10-13 10:52:29 -04:00
Kubernetes Prow Robot
24377fa7a1
Merge pull request #112703 from enj/enj/r/kms_cleanup
encryption config: no-op refactor to prepare for single loading
2022-09-26 14:50:26 -07:00
Monis Khan
db850931a8
encryption config: no-op refactor to prepare for single loading
Signed-off-by: Monis Khan <mok@microsoft.com>
2022-09-26 15:35:03 -04:00
Anish Ramasekar
c3794e2377
Add staging directory for kms
- Moves kms proto apis to the staging repo
- Updates generate and verify kms proto scripts to check staging repo

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2022-09-26 19:23:35 +00:00
Jordan Liggitt
6473f8c7e3
Make controlplane integation tests coexist with default API server config 2022-09-21 12:42:49 -04:00
Anish Ramasekar
f19f3f4099
Implement KMS v2alpha1
- add feature gate
- add encrypted object and run generated_files
- generate protobuf for encrypted object and add unit tests
- move parse endpoint to util and refactor
- refactor interface and remove unused interceptor
- add protobuf generate to update-generated-kms.sh
- add integration tests
- add defaulting for apiVersion in kmsConfiguration
- handle v1/v2 and default in encryption config parsing
- move metrics to own pkg and reuse for v2
- use Marshal and Unmarshal instead of serializer
- add context for all service methods
- check version and keyid for healthz

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2022-08-03 19:04:47 +00:00
Anish Ramasekar
d54631a41a
feat:(kms) encrypt data with DEK using AES-GCM instead of AES-CBC
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2022-08-02 01:12:47 +00:00
Wojciech Tyczyński
e9e494e14a Clean shutdown of apiserver integration tests 2022-07-19 10:03:51 +02:00
Kubernetes Prow Robot
1c1efde70d
Merge pull request #109639 from Abirdcfly/fixduplicateimport
cleanup: remove all duplicate import
2022-07-18 16:55:23 -07:00
Wojciech Tyczyński
8e267eba51 Clean shutdown of controlplane integration tests 2022-07-14 14:38:22 +02:00
Abirdcfly
00b9ead02c cleanup: remove duplicate import
Signed-off-by: Abirdcfly <fp544037857@gmail.com>
2022-07-14 11:25:19 +08:00
Davanum Srinivas
50bea1dad8
Move from k8s.gcr.io to registry.k8s.io
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-05-31 10:16:53 -04:00
Wojciech Tyczyński
6f706775bc Clean shutdown of test apiserver 2022-05-26 10:42:48 +02:00
Wojciech Tyczyński
2dd44d6226 Cleanup no-longer used storage cleanup method 2022-05-11 20:11:37 +02:00
Anish Ramasekar
90b42f91fd
feat: prepare KMS data encryption for migration to AES-GCM
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Co-authored-by: Monis Khan <mok@vmware.com>
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2022-03-30 00:37:42 +00:00
Antonio Ojea
ddadc9a0bb reorganize controlplane integration tests 2022-03-26 09:19:55 +01:00
carlory
fcc282f9f2 remove audit.k8s.io/v1[alpha|beta]1 versions 2022-03-08 14:37:26 +08:00
Antonio Ojea
b0600c630d integration: run tests in eachs own process 2022-03-03 08:19:14 +01:00
Steve Kuznetsov
27312feb99
storage: transformers: pass a context.Context
When an envelope transformer calls out to KMS (for instance), it will be
very helpful to pass a `context.Context` to allow for cancellation. This
patch does that, while passing the previously-expected additional data
via a context value.

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
2022-02-17 08:31:31 -08:00
ahrtr
fe95aa614c io/ioutil has already been deprecated in golang 1.16, so replace all ioutil with io and os 2022-02-03 05:32:12 +08:00