Add configuration for encryption providers, introduce location transformer #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6c710f6 to
28c027b
Compare
jcbsmpsn
requested changes
May 25, 2017
| @@ -109,6 +109,9 @@ func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet) { | |||
|
|
|||
| fs.BoolVar(&s.StorageConfig.Quorum, "etcd-quorum-read", s.StorageConfig.Quorum, | |||
| "If true, enable quorum read.") | |||
|
|
|||
| fs.Var(EncryptionProviderConfig{Transf: &s.StorageConfig.Transformer}, "encryption-provider-config", | |||
There was a problem hiding this comment.
Name the flag 'experimental-encryption-provider-config' so people can understand it isn't stable yet.
| @@ -0,0 +1,107 @@ | |||
| /* | |||
| Copyright 2016 The Kubernetes Authors. | |||
| @@ -0,0 +1,107 @@ | |||
| /* | |||
There was a problem hiding this comment.
It looks like this should be in a file encryption_provider_config.go
| func (e EncryptionProviderConfig) Set(filepath string) error { | ||
| data, err := ioutil.ReadFile(filepath) | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
return fmt.Errorf("could not read encryption provider config from %q: %v", filepath, err). Or new.Error, whatever you prefer.
|
|
||
| // For each provider listed in config file | ||
| for _, provider := range providers { | ||
|
|
There was a problem hiding this comment.
Don't need this blank line.
| // Parse the config map to get configuration | ||
| providerConfig, err := parseProviderInfo(provider) | ||
| if err != nil { | ||
| glog.Warningf(err.Error()) |
There was a problem hiding this comment.
Why not return an error here? It seems like the config file is unparseable, but just a warning is logged? Wouldn't returning an error cause the process to not start?
|
|
||
| if resource, ok := config["resource"].(string); ok { | ||
| sliceResource := []byte(resource) | ||
| if sliceResource[len(sliceResource)-1] != '/' { |
There was a problem hiding this comment.
Won't this crash if the resource string is an empty string?
| // Example configuration: | ||
| // keys: | ||
| // - name: key1 | ||
| // file: key1.txt |
There was a problem hiding this comment.
Why are you putting the keys in other files? Why not put them right here?
There was a problem hiding this comment.
-
Some users may want keys which are represented in bytes for security. It may be awkward to have byte keys in a configuration file. Alternatively, we can define a convention to paste keys in base64 here.
-
This way, keys can be kept away from the configuration. Configuration file may be accessible to multiple users / groups, but the keys should only be readable by the APIserver user preferably. The file based approach allows a certain extent of privilege separation.
There was a problem hiding this comment.
- Bytes in a file will be base64 encoded.
- The configuration files are privileged and we have secrets embedded in them in other places. They have very limited accessibility because of their confidentiality.
| // Get the key configuration as a struct | ||
| keyConfig, err := value.GetKeyDataFromConfig(keyMap) | ||
| if err != nil { | ||
| glog.Warningf(err.Error()) |
There was a problem hiding this comment.
It just failed to load a key here, didn't it? I don't think this should be a warning, it should be an unrecoverable error.
| // Create a prefixTransformer to parse the AEAD prefix | ||
| return value.NewPrefixTransformers(nil, value.PrefixTransformer{ | ||
| Transformer: keyTransformer, | ||
| Prefix: []byte("AEAD:"), |
There was a problem hiding this comment.
This should be 'k8s-aes-gcm-v1'. See https://github.com/kubernetes/community/pull/607/files, section 'AES-GCM Encryption provider'
a4a2561 to
d75cfe5
Compare
sakshamsharma
pushed a commit
that referenced
this pull request
May 25, 2017
…mance Automatic merge from submit-queue (batch tested with PRs 38505, 41785, 46315) Only retrieve relevant volumes **What this PR does / why we need it**: Improves performance for Cinder volume attach/detach calls. Currently when Cinder volumes are attached or detached, functions try to retrieve details about the volume from the Nova API. Because some only have the volume name not its UUID, they use the list function in gophercloud to iterate over all volumes to find a match. This incurs severe performance problems on OpenStack projects with lots of volumes (sometimes thousands) since it needs to send a new request when the current page does not contain a match. A better way of doing this is use the `?name=XXX` query parameter to refine the results. **Which issue this PR fixes**: kubernetes#26404 **Special notes for your reviewer**: There were 2 ways of addressing this problem: 1. Use the `name` query parameter 2. Instead of using the list function, switch to using volume UUIDs and use the GET function instead. You'd need to change the signature of a few functions though, such as [`DeleteVolume`](https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/cinder/cinder.go#L49), so I'm not sure how backwards compatible that is. Since #1 does effectively the same as #2, I went with it because it ensures BC. One assumption that is made is that the `volumeName` being retrieved matches exactly the name of the volume in Cinder. I'm not sure how accurate that is, but I see no reason why cloud providers would want to append/prefix things arbitrarily. **Release note**: ```release-note Improves performance of Cinder volume attach/detach operations ```
baefe94 to
c86e5d5
Compare
|
I've fixed the changes, except for two. For those, I have commented on the thread. One of them (in transformer.go, about why the current logic allows multiple matches) has been collapsed due to some other changes. I can rename the commits and merge some of them together if need be. |
|
Merge all commits together before posting a PR to the Kubernetes repo. Reviewers on that repo usually prefer a single commit in a PR. |
13b520f to
9c8f798
Compare
a8ba07c to
076c961
Compare
Automatic merge from submit-queue (batch tested with PRs 46252, 45524, 46236, 46277, 46522) Add /healthz back to kube-proxy metrics server Fixes kubernetes#46447. /healthz is removed from kube-proxy metrics server by kubernetes#44968 and that breaks our upgrade test, which run 1.6 tests on 1.7 cluster. It seems harmless to continue holding /healthz on metrics server as well, so that we won't break other potential users. /assign @bowei cc @dchen1107 **Release note**: ```release-note NONE ```
…on-manager Automatic merge from submit-queue Configuration manager for dynamic admission control registration Implementing this [section](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/dynamic-admission-control-configuration.md#synchronization-of-admission-control-configurations) of kubernetes/community#611 Adding a configuration manager that reads the ExternalAdmissionHookConfigurations and InitializerConfigurations periodically, and returns the merged configuration. cc @smarterclayton @whitlockjc
Automatic merge from submit-queue (batch tested with PRs 46302, 44597, 44742, 46554) support replaceKeys patch strategy Implementing according to [this proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/add-new-patchStrategy-to-clear-fields-not-present-in-patch.md). The revision is in kubernetes/community#620. ```release-note support replaceKeys patch strategy and directive for strategic merge patch ```
Automatic merge from submit-queue (batch tested with PRs 46302, 44597, 44742, 46554) Change to aggregator so it calls a user apiservice via its pod IP. proxy_handler now does a sideways call to lookup the pod IPs for aservice. It will then pick a random pod IP to forward the use apiserver request to. **What this PR does / why we need it**: It allows the aggregator to work without setting up the full network stack on the kube master (i.e. with kube-dns or kube-proxy) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#44619 **Special notes for your reviewer**: **Release note**: ```release-note ```
Automatic merge from submit-queue (batch tested with PRs 46302, 44597, 44742, 46554) Do not install do-nothing iptables rules Deprecate kubelet non-masquerade-cidr. Do not install iptables rules if it is set to 0.0.0.0/0. Fixes kubernetes#46553
This commit regenerates the protobuf as per the recent generation changes (removing erroneous imports, adding k8s.io/metrics), and syncs the changes to client-go (which also ensures that client-go protobuf IDL has the correct package names).
Automatic merge from submit-queue fix typo in build.sh **What this PR does / why we need it**: fix typo in build.sh **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # NONE **Special notes for your reviewer**: NONE **Release note**: ```release-note NONE ```
…ests Automatic merge from submit-queue Performance tests also cover configmaps now Similar to secrets. We should be able to get this in once kubernetes#46470 is merged. /cc @wojtek-t @gmarek
Automatic merge from submit-queue unit test for kubectl config set-cluster **What this PR does / why we need it**: unit test for create cluster **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: i want test secure mode,but CA path how set? **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 43505, 45168, 46439, 46677, 46623) fix AWS tagging to add missing tags only It seems that intention of original code was to build map of missing tags and call AWS API to add just them, but due to typo full set of tags was always (re)added ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 43505, 45168, 46439, 46677, 46623) Test finalization for CRs **What this PR does / why we need it**: Updates kubernetes#45511 with a test for finalizers for CRDs. **Release note**: ```release-note NONE ``` @deads2k
Automatic merge from submit-queue (batch tested with PRs 43505, 45168, 46439, 46677, 46623) Add TPR to CRD migration helper. This is a helper for migrating TPR data to CustomResource. It's rather hacky because it requires crossing apiserver boundaries, but doing it this way keeps the mess contained to the TPR code, which is scheduled for deletion anyway. It's also not completely hands-free because making it resilient enough to be completely automated is too involved to be worth it for an alpha-to-beta migration, and would require investing significant effort to fix up soon-to-be-deleted TPR code. Instead, this feature will be documented as a best-effort helper whose results should be verified by hand. The intended benefit of this over a totally manual process is that it should be possible to copy TPR data into a CRD without having to tear everything down in the middle. The process would look like this: 1. Upgrade to k8s 1.7. Nothing happens to your TPRs. 1. Create CRD with group/version and resource names that match the TPR. Still nothing happens to your TPRs, as the CRD is hidden by the overlapping TPR. 1. Delete the TPR. The TPR data is converted to CustomResource data, and the CRD begins serving at the same REST path. Note that the old TPR data is left behind by this process, so watchers should not receive DELETE events. This also means the user can revert to the pre-migration state by recreating the TPR definition. Ref. kubernetes#45728
…ed-modes Automatic merge from submit-queue (batch tested with PRs 43505, 45168, 46439, 46677, 46623) aggregator: unify resolver implementation and tests This is kubernetes#45082, but without the port support.
Automatic merge from submit-queue Checked node condition for DaemonSets when updating node. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#45628 **Release note**: ```release-note-none ```
Automatic merge from submit-queue Update fluentd-gcp version Updates the `fluent-plugin-google-cloud` version to `0.6.2`. This patch containes bug fixes
…-event Automatic merge from submit-queue Extract volume relevant events reason Extract volume relevant events reason and make them const **Release note**: ```release-note NONE ```
…taging-imports-logic Automatic merge from submit-queue hack/verify-staging-imports.sh: simplify by negating package list The forbidden list of repos got lengthy. The inverse is much shorter and easiert to maintain.
Automatic merge from submit-queue Disable all alpha feature gates by default in local-up-cluster.sh **What this PR does / why we need it**: Disable all alpha feature gates by default in local-up-cluster.sh **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#46691 **Special notes for your reviewer**: **Release note**: ``` None ```
Automatic merge from submit-queue support setElementOrder Implement [proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/preserve-order-in-strategic-merge-patch.md). Fixes kubernetes#40373 ```release-note kubectl edit and kubectl apply will keep the ordering of elements in merged lists ```
Automatic merge from submit-queue Add Local Storage Capacity Isolation API This PR adds the new APIs to support storage capacity isolation as described in the proposal [https://github.com/kubernetes/community/pull/306](url) 1. Add SizeLimit for emptyDir volume 2. Add scratch and overlay storage type used by container level or node level **Release note**: ```release-note Alpha feature: Local volume Storage Capacity Isolation allows users to set storage limit to isolate EmptyDir volumes, container storage overlay, and also supports allocatable storage for shared root file system. ```
…up-runtime-GetNetNS Revert "kubelet/network: report but tolerate errors returned from GetNetNS()"
Automatic merge from submit-queue Set Kubelet Disk Defaults for the 1.7 release The `--low-diskspace-threshold-mb` flag has been depreciated since 1.6. This PR sets the default to `0`, and sets defaults for disk eviction based on the values used for our [e2e tests](https://github.com/kubernetes/kubernetes/blob/master/test/e2e_node/services/kubelet.go#L145). This also removes the custom defaults for vagrant, as the new defaults should work for it as well. /assign @derekwaynecarr cc @vishh ```release-note By default, --low-diskspace-threshold-mb is not set, and --eviction-hard includes "nodefs.available<10%,nodefs.inodesFree<5%" ```
Added API node ready check after PD test deleting a GCE instance.
Automatic merge from submit-queue resolv.conf nameserver line has only one entry, ignore trailing garbage **What this PR does / why we need it**: Per the resolv.conf man page "name servers may be listed, one per keyword." Some tools such as udhcpc take advantage of this to append comments to nameserver entries. For example: `nameserver 8.8.8.8 # eth0`. This updates the resolv.conf parser to ignore trailing garbage on nameserver lines. **Release note**: NONE
3124b19 to
6c312fc
Compare
added 3 commits
June 1, 2017 13:41
…kend Automatic merge from submit-queue apiserver: add a webhook implementation of the audit backend This builds off of kubernetes#45315 and is intended to implement an interfaced defined in kubernetes#45766. TODO: - [x] Rebase on top of API types PR. - [x] Rebase on top of API types updates (kubernetes#46065) - [x] Rebase on top of feature flag (kubernetes#46009) - [x] Rebase on top of audit instrumentation. - [x] Hook up API server flag or register plugin (depending on kubernetes#45766) Features issue kubernetes/enhancements#22 Design proposal https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md ```release-notes Webhook added to the API server which omits structured audit log events. ``` /cc @soltysh @timstclair @soltysh @deads2k
Automatic merge from submit-queue try to deflake CR watches in tests Fixes kubernetes#46446 I've added a comment trying to explain the reasoning in the code. Without being able to expose the RV of the cache, I can't think of a reliable way to do it. Even if you tried experimenting with a watch, it essentially does this since you'd be waiting to not get an error.
…umeMounterFromPlugins Automatic merge from submit-queue fix comment error in function newVolumeMounterFromPlugins **What this PR does / why we need it**: Fix the comment error in function newVolumeMounterFromPlugins, which may cause confusion.
7b6f43e to
4c50a97
Compare
Add location transformer, config for transformers Location transformer helps choose the most specific transformer for read/write operations depending on the path of resource being accessed. Configuration allows use of --experimental-encryption-provider-config to set up encryption providers. Only AEAD is supported at the moment. Add new files to BUILD, AEAD => k8s-aes-gcm Use group resources to select encryption provider Update tests for configuration parsing Remove location transformer Allow specifying providers per resource group in configuration Add IdentityTransformer configuration option Fix minor issues with initial AEAD implementation Unified parsing of all configurations Parse configuration using a union struct Run configuration parsing in APIserver, refactor parsing More gdoc, fix minor bugs Add test coverage for combined transformers Use table driven tests for encryptionconfig
4c50a97 to
9760d00
Compare
ixdy
pushed a commit
to ixdy/kubernetes
that referenced
this pull request
Jun 5, 2017
…former
Automatic merge from submit-queue (batch tested with PRs 46550, 46663, 46816, 46820, 46460)
Add configuration for encryption providers
## Additions
Allows providing a configuration file (using flag `--experimental-encryption-provider-config`) to use the existing AEAD transformer (with multiple keys) by composing mutable transformer, prefix transformer (for parsing providerId), another prefix transformer (for parsing keyId), and AES-GCM transformers (one for each key). Multiple providers can be configured using the configuration file.
Example configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- namespaces
providers:
- aes:
keys:
- name: key1
secret: c2vjcmv0iglzihnly3vyzq==
- name: key2
secret: dghpcybpcybwyxnzd29yza==
- identity: {}
```
Need for configuration discussed in:
kubernetes#41939
[Encryption](https://github.com/destijl/community/blob/3418b4e4c6358f5dc747a37b90a97bc792f159ee/contributors/design-proposals/encryption.md)
**Pathway of a read/write request**:
1. MutableTransformer
2. PrefixTransformer reads the provider-id, and passes the request further if that matches.
3. PrefixTransformer reads the key-id, and passes the request further if that matches.
4. GCMTransformer tries decrypting and authenticating the cipher text in case of reads. Similarly for writes.
## Caveats
1. To keep the command line parameter parsing independent of the individual transformer's configuration, we need to convert the configuration to an `interface{}` and manually parse it in the transformer. Suggestions on better ways to do this are welcome.
2. Flags `--encryption-provider` and `--encrypt-resource` (both mentioned in [this document](https://github.com/destijl/community/blob/3418b4e4c6358f5dc747a37b90a97bc792f159ee/contributors/design-proposals/encryption.md) ) are not supported in this because they do not allow more than one provider, and the current format for the configuration file possibly supersedes their functionality.
3. Currently, it can be tested by adding `--experimental-encryption-provider-config=config.yml` to `hack/local-up-cluster.sh` on line 511, and placing the above configuration in `config.yml` in the root project directory.
Previous discussion on these changes:
sakshamsharma#1
@jcbsmpsn @destijl @smarterclayton
## TODO
1. Investigate if we need to store keys on disk (per [encryption.md](https://github.com/destijl/community/blob/3418b4e4c6358f5dc747a37b90a97bc792f159ee/contributors/design-proposals/encryption.md#option-1-simple-list-of-keys-on-disk))
2. Look at [alpha flag conventions](https://github.com/kubernetes/kubernetes/blob/master/pkg/features/kube_features.go)
3. Need to reserve `k8s:enc` prefix formally for encrypted data. Else find a better way to detect transformed data.
sakshamsharma
pushed a commit
that referenced
this pull request
Jun 19, 2017
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612) Move slow PV test to slow suite. See [testgrid](https://k8s-testgrid.appspot.com/google-gce#gce&width=5&graph-metrics=test-duration-minutes). #1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Additions
Adds location transformer. Inspects the incoming read/write request and chooses a provider which is configured for that resource. For example: if a request is for writing to
/v1/Secrets/privateKey, a provider whose configured resource is/v1/Secretswould get more preference than a provider whose configured resource is/v1.Allows providing a configuration file (using flag
--experimental-encryption-provider-config) to use the existing AEAD transformer (with multiple keys) by composing mutable transformer, location transformer, prefix transformer (for parsing providerId), another prefix transformer (for parsing keyId), and AES-GCM transformers (one for each key). Multiple providers can be configured using the configuration file.Example configuration:
The key files need not exist, and a key will be generated randomly if the file does not exist.
Need for configuration discussed in:
kubernetes#41939
https://github.com/destijl/community/blob/3418b4e4c6358f5dc747a37b90a97bc792f159ee/contributors/design-proposals/encryption.md
Pathway of a read/write request:
Caveats
To keep the command line parameter parsing independent of the individual transformer's configuration, we need to convert the configuration to an
interface{}and manually parse it in the transformer. Suggestions on better ways to do this are welcome.Flags
--encryption-providerand--encrypt-resource(both mentioned in this document ) are not supported in this because they do not allow more than one provider, and the current format for the configuration file possibly supersedes their functionality.There are no tests for the configuration parsing at the moment. Once this pull request's specifications are approved, they will be added. Currently, it can be tested by adding
--experimental-encryption-provider-config=config.ymltohack/local-up-cluster.shon line 511, and placing the above configuration inconfig.ymlin the root directory.Things to consider:
Need to evaluate if there will be a performance hit due to the composed transformers.
Should we move location transformer, prefix transformer and mutable transformer to separate files?