kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #48574 from sakshamsharma/kms-transformer 

Automatic merge from submit-queue

Add Google cloud KMS service for envelope encryption transformer

This adds the required pieces which will allow addition of KMS based encryption providers (envelope transformer).

For now, we will be implementing it using Google Cloud KMS, but the code should make it easy to add support for any other such provider which can expose Decrypt and Encrypt calls.

Writing tests for Google Cloud KMS Service may cause a significant overhead to the testing framework. It has been tested locally and on GKE though.

Upcoming after this PR:
* Complete implementation of the envelope transformer, which uses LRU cache to maintain decrypted DEKs in memory.
* Track key version to assist in data re-encryption after a KEK rotation.

Development branch containing the changes described above: https://github.com/sakshamsharma/kubernetes/pull/4

Envelope transformer used by this PR was merged in #49350 

Concerns #48522 

Planned configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - secrets
    providers:
    - kms:
        cachesize: 100
        configfile: gcp-cloudkms.conf
        name: gcp-cloudkms
    - identity: {}
```

gcp-cloudkms.conf:
```
[GoogleCloudKMS]
    kms-location: global
    kms-keyring: google-container-engine
    kms-cryptokey: example-key
```

Kubernetes-commit: 0d17e9deb7188bc79d905cb4ef6911c0a27adc59
This commit is contained in:
Kubernetes Publisher 2017-08-29 11:11:11 -07:00
parent c68d80e8a2 b9e05868ba
commit a8a9cf8e45
4 changed files with 14 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
pkg/server/options/encryptionconfig/config.go
View File

@ -36,11 +36,10 @@ import (
)
const (
aesCBCTransformerPrefixV1 = "k8s:enc:aescbc:v1:"
aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:"
secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:"
kmsTransformerPrefixV1 = "k8s:enc:kms:v1:"
cloudProvidedKMSTransformerPrefixV1 = "k8s:enc:cloudprovidedkms:v1:"
aesCBCTransformerPrefixV1 = "k8s:enc:aescbc:v1:"
aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:"
secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:"
kmsTransformerPrefixV1 = "k8s:enc:kms:v1:"
)
// GetTransformerOverrides returns the transformer overrides by reading and parsing the encryption provider configuration file
@ -163,19 +162,7 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e
if pluginFound == false {
return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name)
}
transformer, err = getEnvelopePrefixTransformer(provider.KMS.CoreKMSConfig, envelopeService, kmsTransformerPrefixV1)
found = true
}
if provider.CloudProvidedKMS != nil {
if found == true {
return nil, fmt.Errorf("more than one provider specified in a single element, should split into different list elements")
}
envelopeService, err := KMSPluginRegistry.getCloudProvidedPlugin(provider.CloudProvidedKMS.Name)
if err != nil {
return nil, fmt.Errorf("could not configure Cloud-Provided KMS plugin %q, %v", provider.CloudProvidedKMS.Name, err)
}
transformer, err = getEnvelopePrefixTransformer(provider.CloudProvidedKMS.CoreKMSConfig, envelopeService, cloudProvidedKMSTransformerPrefixV1)
transformer, err = getEnvelopePrefixTransformer(provider.KMS, envelopeService, kmsTransformerPrefixV1)
found = true
}
@ -296,7 +283,7 @@ func GetSecretboxPrefixTransformer(config *SecretboxConfig) (value.PrefixTransfo
// getEnvelopePrefixTransformer returns a prefix transformer from the provided config.
// envelopeService is used as the root of trust.
func getEnvelopePrefixTransformer(config *CoreKMSConfig, envelopeService envelope.Service, prefix string) (value.PrefixTransformer, error) {
func getEnvelopePrefixTransformer(config *KMSConfig, envelopeService envelope.Service, prefix string) (value.PrefixTransformer, error) {
envelopeTransformer, err := envelope.NewEnvelopeTransformer(envelopeService, config.CacheSize, aestransformer.NewCBCTransformer)
if err != nil {
return value.PrefixTransformer{}, err

66
pkg/server/options/encryptionconfig/encryptionconfig_test.go
View File

@ -58,9 +58,6 @@ resources:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- cloudprovidedkms:
name: testprovider
cachesize: 10
- aescbc:
keys:
- name: key1
@ -100,9 +97,6 @@ resources:
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- cloudprovidedkms:
name: testprovider
cachesize: 10
- identity: {}
`
@ -124,9 +118,6 @@ resources:
configfile: testproviderconfig
cachesize: 10
- identity: {}
- cloudprovidedkms:
name: testprovider
cachesize: 10
- secretbox:
keys:
- name: key1
@ -150,9 +141,6 @@ resources:
keys:
- name: key1
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
- cloudprovidedkms:
name: testprovider
cachesize: 10
- aescbc:
keys:
- name: key1
@ -194,45 +182,6 @@ resources:
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- identity: {}
- cloudprovidedkms:
name: testprovider
cachesize: 10
- aesgcm:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
`
correctConfigWithCloudProvidedKMSFirst = `
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- cloudprovidedkms:
name: testprovider
cachesize: 10
- kms:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- secretbox:
keys:
- name: key1
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
- aescbc:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- identity: {}
- cloudprovidedkms:
name: testprovider
cachesize: 10
- aesgcm:
keys:
- name: key1
@ -300,15 +249,9 @@ var _ envelope.Service = &testEnvelopeService{}
func TestEncryptionProviderConfigCorrect(t *testing.T) {
os.OpenFile(testEnvelopeServiceConfigPath, os.O_CREATE, 0666)
defer os.Remove(testEnvelopeServiceConfigPath)
KMSPluginRegistry.Register(testEnvelopeServiceProviderName, func(config io.Reader) (envelope.Service, error) {
KMSPluginRegistry.Register(testEnvelopeServiceProviderName, func(_ io.Reader) (envelope.Service, error) {
return &testEnvelopeService{}, nil
})
KMSPluginRegistry.RegisterCloudProvidedKMSPlugin(func(name string) (envelope.Service, error) {
if name == testEnvelopeServiceProviderName {
return &testEnvelopeService{}, nil
}
return nil, fmt.Errorf("no such cloud provided KMS plugin registered: %q", name)
})
// Creates compound/prefix transformers with different ordering of available transformers.
// Transforms data using one of them, and tries to untransform using the others.
@ -338,18 +281,12 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithKMSFirst)
}
cloudProvidedKMSFirstTransformerOverrides, err := ParseEncryptionConfiguration(strings.NewReader(correctConfigWithCloudProvidedKMSFirst))
if err != nil {
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithCloudProvidedKMSFirst)
}
// Pick the transformer for any of the returned resources.
identityFirstTransformer := identityFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
aesGcmFirstTransformer := aesGcmFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
aesCbcFirstTransformer := aesCbcFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
secretboxFirstTransformer := secretboxFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
kmsFirstTransformer := kmsFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
cloudProvidedKMSFirstTransformer := cloudProvidedKMSFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
context := value.DefaultContext([]byte(sampleContextText))
originalText := []byte(sampleText)
@ -363,7 +300,6 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
{secretboxFirstTransformer, "secretboxFirst"},
{identityFirstTransformer, "identityFirst"},
{kmsFirstTransformer, "kmsFirst"},
{cloudProvidedKMSFirstTransformer, "cloudProvidedKMSFirst"},
}
for _, testCase := range transformers {

26
pkg/server/options/encryptionconfig/plugins.go
View File

@ -18,7 +18,6 @@ package encryptionconfig
import (
"bytes"
"fmt"
"io"
"io/ioutil"
"reflect"
@ -35,13 +34,10 @@ import (
// the parameter is nil.
type Factory func(config io.Reader) (envelope.Service, error)
type cloudKMSFactory func(name string) (envelope.Service, error)
// KMSPlugins contains all registered KMS options.
type KMSPlugins struct {
lock sync.RWMutex
registry map[string]Factory
cloudKMS cloudKMSFactory
}
var (
@ -59,7 +55,8 @@ var (
type PluginEnabledFunc func(name string, config io.Reader) bool
// Register registers a plugin Factory by name. This
// is expected to happen during app startup.
// is expected to happen during app startup. It does not allow
// registering a plugin by the same name twice.
func (ps *KMSPlugins) Register(name string, plugin Factory) {
ps.lock.Lock()
defer ps.lock.Unlock()
@ -69,15 +66,10 @@ func (ps *KMSPlugins) Register(name string, plugin Factory) {
}
if found {
glog.Fatalf("KMS plugin %q was registered twice", name)
} else {
ps.registry[name] = plugin
glog.V(1).Infof("Registered KMS plugin %q", name)
}
glog.V(1).Infof("Registered KMS plugin %q", name)
ps.registry[name] = plugin
}
// RegisterCloudProvidedKMSPlugin registers the cloud's KMS provider as
// an envelope.Service. This service is provided by the cloudprovider interface.
func (ps *KMSPlugins) RegisterCloudProvidedKMSPlugin(cloudKMSGetter cloudKMSFactory) {
ps.cloudKMS = cloudKMSGetter
}
// getPlugin creates an instance of the named plugin. It returns `false` if the
@ -111,14 +103,6 @@ func (ps *KMSPlugins) fetchPluginFromRegistry(name string) (Factory, bool) {
return f, found
}
// getCloudProvidedPlugin creates an instance of the named cloud provided KMS plugin.
func (ps *KMSPlugins) getCloudProvidedPlugin(name string) (envelope.Service, error) {
if ps.cloudKMS == nil {
return nil, fmt.Errorf("no cloud registered for KMS plugins")
}
return ps.cloudKMS(name)
}
// splitStream reads the stream bytes and constructs two copies of it.
func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
if config == nil || reflect.ValueOf(config).IsNil() {

18
pkg/server/options/encryptionconfig/types.go
View File

@ -47,9 +47,6 @@ type ProviderConfig struct {
Identity *IdentityConfig `json:"identity,omitempty"`
// kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.
KMS *KMSConfig `json:"kms,omitempty"`
// cloudProvidedKMSConfig contains the name and cache size for a KMS based envelope transformer which uses
// the KMS provided by the cloud.
CloudProvidedKMS *CloudProvidedKMSConfig `json:"cloudprovidedkms,omitempty"`
}
// AESConfig contains the API configuration for an AES transformer.
@ -77,24 +74,13 @@ type Key struct {
// IdentityConfig is an empty struct to allow identity transformer in provider configuration.
type IdentityConfig struct{}
// CoreKMSConfig contains the name and cache sized for a KMS based envelope transformer.
type CoreKMSConfig struct {
// KMSConfig contains the name, cache size and path to configuration file for a KMS based envelope transformer.
type KMSConfig struct {
// name is the name of the KMS plugin to be used.
Name string `json:"name"`
// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
// +optional
CacheSize int `json:"cachesize,omitempty"`
}
// KMSConfig contains the name, cache size and path to configuration file for a KMS based envelope transformer.
type KMSConfig struct {
*CoreKMSConfig
// configfile is the path to the configuration file for the named KMS provider.
ConfigFile string `json:"configfile"`
}
// CloudProvidedKMSConfig contains the name and cache size for a KMS based envelope transformer which uses
// the KMS provided by the cloud.
type CloudProvidedKMSConfig struct {
*CoreKMSConfig
}