github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/cmd
History
Kubernetes Submit Queue f893cddfba Merge pull request #46460 from sakshamsharma/location_transformer 
Automatic merge from submit-queue (batch tested with PRs 46550, 46663, 46816, 46820, 46460)

Add configuration for encryption providers

## Additions

Allows providing a configuration file (using flag `--experimental-encryption-provider-config`) to use the existing AEAD transformer (with multiple keys) by composing mutable transformer, prefix transformer (for parsing providerId), another prefix transformer (for parsing keyId), and AES-GCM transformers (one for each key). Multiple providers can be configured using the configuration file.

Example configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - namespaces
    providers:
    - aes:
        keys:
        - name: key1
          secret: c2vjcmv0iglzihnly3vyzq==
        - name: key2
          secret: dghpcybpcybwyxnzd29yza==
    - identity: {}
```

Need for configuration discussed in:
#41939
[Encryption](3418b4e4c6/contributors/design-proposals/encryption.md)

**Pathway of a read/write request**:
1. MutableTransformer
2. PrefixTransformer reads the provider-id, and passes the request further if that matches.
3. PrefixTransformer reads the key-id, and passes the request further if that matches.
4. GCMTransformer tries decrypting and authenticating the cipher text in case of reads. Similarly for writes.

## Caveats
1. To keep the command line parameter parsing independent of the individual transformer's configuration, we need to convert the configuration to an `interface{}` and manually parse it in the transformer. Suggestions on better ways to do this are welcome.

2. Flags `--encryption-provider` and `--encrypt-resource` (both mentioned in [this document](3418b4e4c6/contributors/design-proposals/encryption.md) ) are not supported in this because they do not allow more than one provider, and the current format for the configuration file possibly supersedes their functionality.

3. Currently, it can be tested by adding `--experimental-encryption-provider-config=config.yml` to `hack/local-up-cluster.sh` on line 511, and placing the above configuration in `config.yml` in the root project directory.

Previous discussion on these changes:
https://github.com/sakshamsharma/kubernetes/pull/1

@jcbsmpsn @destijl @smarterclayton

## TODO
1. Investigate if we need to store keys on disk (per [encryption.md](3418b4e4c6/contributors/design-proposals/encryption.md (option-1-simple-list-of-keys-on-disk)))
2. Look at [alpha flag conventions](https://github.com/kubernetes/kubernetes/blob/master/pkg/features/kube_features.go)
3. Need to reserve `k8s:enc` prefix formally for encrypted data. Else find a better way to detect transformed data.
 		2017-06-05 16:43:48 -07:00
..
clicheck More cli sanity verifications 2017-05-18 15:44:49 -03:00
cloud-controller-manager Initialize cloud providers with a K8s clientBuilder 2017-05-17 14:38:25 -07:00
gendocs autogenerated 2017-04-14 10:40:57 -07:00
genkubedocs autogenerated 2017-04-14 10:40:57 -07:00
genman autogenerated 2017-04-14 10:40:57 -07:00
genslateyaml autogenerated 2017-04-14 10:40:57 -07:00
genswaggertypedocs autogenerated 2017-04-14 10:40:57 -07:00
genutils
genyaml autogenerated 2017-04-14 10:40:57 -07:00
gke-certificates-controller refactor certificate controller 2017-05-23 15:25:58 -07:00
hyperkube Merge pull request #45635 from MrHohn/hyperkube-unit-test 2017-05-23 20:52:56 -07:00
kube-apiserver Merge pull request #46460 from sakshamsharma/location_transformer 2017-06-05 16:43:48 -07:00
kube-controller-manager Merge pull request #46783 from deads2k/controller-08-initfn 2017-06-03 18:30:42 -07:00
kube-proxy Proxy: comments on --masquerade-all flag 2017-06-01 12:36:31 -07:00
kubeadm Merge pull request #36721 from smarterclayton/initializers 2017-06-03 07:16:52 -07:00
kubectl Introduce visibility rules to kubernetes code. 2017-05-15 12:50:56 -07:00
kubelet Merge pull request #46456 from jingxu97/May/allocatable 2017-06-03 00:24:29 -07:00
kubemark hollow-node.go:delete useless para. and import 2017-05-25 12:54:01 +08:00
libs/go2idl Merge pull request #46726 from deads2k/crd-09-proto 2017-06-02 21:34:54 -07:00
linkcheck autogenerated 2017-04-14 10:40:57 -07:00
mungedocs autogenerated 2017-04-14 10:40:57 -07:00
BUILD Merge pull request #42070 from luxas/remove_kube_discovery 2017-03-04 12:58:23 -08:00
OWNERS