[KMSv2] Use status key ID to determine staleness of encrypted data #114544
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
area/apiserver
sig/api-machinery
|
/assign @enj |
ritazh
changed the title
|
/kind feature |
k8s-ci-robot
added
kind/feature
enj
suggested changes
Dec 16, 2022
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
Show resolved
Hide resolved
k8s-ci-robot
added
size/L
ritazh
force-pushed
the
kmsv2-keyid-staleness
branch
from
20457e4
to
bf56b63
Compare
|
/test pull-kubernetes-unit |
|
/cc |
ritazh
force-pushed
the
kmsv2-keyid-staleness
branch
from
bf56b63
to
c5f62be
Compare
aramase
reviewed
Jan 10, 2023
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
Outdated
Show resolved
Hide resolved
.../src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2alpha1/kms_plugin_mock.go
Outdated
Show resolved
Hide resolved
.../src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2alpha1/kms_plugin_mock.go
Outdated
Show resolved
Hide resolved
enj
suggested changes
Jan 10, 2023
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Outdated
Show resolved
Hide resolved
enj
reviewed
Jan 10, 2023
| @@ -274,6 +280,15 @@ func (h *kmsv2PluginProbe) check(ctx context.Context) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // getCurrentKeyID returns the latest keyID from the Status() method or err if keyID is empty | |||
| func (h *kmsv2PluginProbe) getCurrentKeyID(ctx context.Context) (string, error) { | |||
There was a problem hiding this comment.
@liggitt this PR makes the API server coast (forever) on the last successful key ID it got from the plugin. Thus staleness checks for read calls will not fail if the plugin is down transiently. At a high level I believe we have three choices here:
- Coast on the last key ID, no error, staleness based on last observed key ID
- Error and fail the read request (would partially defeat the purpose of having a cache since we would no longer tolerate plugin downtime)
- Mark the read request as
stale=true- for no-op updates this would cause a write (which would presumably fail since the plugin is down)
What do you think is the best approach here?
There was a problem hiding this comment.
Maybe another option is to make stale a *bool to try and express the "I do not know" state?
There was a problem hiding this comment.
it's hard to imagine life being better for a cluster admin if we make the cluster start failing reads ... I wouldn't do that.
failing no-op writes doesn't seem useful to me either... it pushes errors to users unlikely to be able to do anything about them
I think I would expect to coast, and for an error here to increment a metric to make it clear something is not working as expected (either transiently or persistently)
There was a problem hiding this comment.
Opened #115188 to add metrics as a follow up.
enj
reviewed
Jan 10, 2023
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Show resolved
Hide resolved
enj
reviewed
Jan 10, 2023
| keyID := "" | ||
| probe.keyID.Store(&keyID) | ||
|
|
||
| go wait.PollImmediateUntilWithContext( |
There was a problem hiding this comment.
Trying to think if there is a way to have an integration test that proves that this loop is running. 🤔
|
Running the tests locally I see that https://github.com/ritazh/kubernetes/blob/c5f62be64070e68ca8f7f8c38af0a52ce119107d/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go#L569 causes a diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
index bd57f31ac77..4f93314e37a 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
@@ -26,8 +26,10 @@ import (
"time"
"github.com/google/go-cmp/cmp"
+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
+ "k8s.io/apimachinery/pkg/util/wait"
apiserverconfig "k8s.io/apiserver/pkg/apis/config"
"k8s.io/apiserver/pkg/features"
"k8s.io/apiserver/pkg/storage/value"
@@ -243,7 +245,7 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
for _, transformer := range transformers {
untransformedData, stale, err := transformer.Transformer.TransformFromStorage(ctx, transformedData, dataCtx)
- if err != nil && err.Error() != "got unexpected empty keyID" {
+ if err != nil {
t.Fatalf("%s: error while reading using %s transformer: %s", testCase.Name, transformer.Name, err)
}
if stale != (transformer.Name != testCase.Name) {
@@ -551,7 +553,9 @@ func TestKMSPluginHealthz(t *testing.T) {
return
}
- _, got, kmsUsed, err := getTransformerOverridesAndKMSPluginProbes(config, testContext(t).Done())
+ ctx, cancel := context.WithCancel(context.Background())
+ cancel() // cancel this upfront so the kms v2 healthz check poll only runs once
+ _, got, kmsUsed, err := getTransformerOverridesAndKMSPluginProbes(config, ctx.Done())
if err != nil {
t.Fatal(err)
}
@@ -565,6 +569,7 @@ func TestKMSPluginHealthz(t *testing.T) {
p.l = nil
p.lastResponse = nil
case *kmsv2PluginProbe:
+ waitForOneKMSv2Check(t, p) // make sure the kms v2 healthz check poll is done
p.service = nil
p.l = nil
p.lastResponse = nil
@@ -595,6 +600,19 @@ func TestKMSPluginHealthz(t *testing.T) {
}
}
+func waitForOneKMSv2Check(t *testing.T, p *kmsv2PluginProbe) {
+ t.Helper()
+
+ if err := wait.PollImmediate(100*time.Millisecond, wait.ForeverTestTimeout, func() (done bool, err error) {
+ p.l.Lock()
+ defer p.l.Unlock()
+
+ return !p.lastResponse.received.IsZero(), nil
+ }); err != nil {
+ t.Fatal(err)
+ }
+}
+
func TestKMSPluginHealthzTTL(t *testing.T) {
ctx := testContext(t)
|
k8s-ci-robot
added
the
needs-rebase
ritazh
force-pushed
the
kmsv2-keyid-staleness
branch
from
7fcff60
to
e866cd8
Compare
k8s-ci-robot
removed
the
needs-rebase
ritazh
force-pushed
the
kmsv2-keyid-staleness
branch
from
e866cd8
to
a73d300
Compare
ritazh
force-pushed
the
kmsv2-keyid-staleness
branch
from
a73d300
to
efb1637
Compare
enj
suggested changes
Jan 18, 2023
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/kmsv2_transformation_test.go
Outdated
Show resolved
Hide resolved
aramase
reviewed
Jan 18, 2023
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Show resolved
Hide resolved
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
ritazh
force-pushed
the
kmsv2-keyid-staleness
branch
from
7648bd2
to
510ac9b
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: f26e0356dab57c67edc5b38085ae2ea05b91fce0
|
k8s-ci-robot
added
the
approved
enj
approved these changes
Jan 19, 2023
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, ritazh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
KMSv2: Use status key ID to determine staleness of encrypted data
Which issue(s) this PR fixes:
Fixes #111922
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/milestone v1.27
/sig auth
/triage accepted