kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,522 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

27 Commits

Author SHA1 Message Date
Anish Ramasekar 225e26ac4a Implement KMS v2alpha1 
- add feature gate
- add encrypted object and run generated_files
- generate protobuf for encrypted object and add unit tests
- move parse endpoint to util and refactor
- refactor interface and remove unused interceptor
- add protobuf generate to update-generated-kms.sh
- add integration tests
- add defaulting for apiVersion in kmsConfiguration
- handle v1/v2 and default in encryption config parsing
- move metrics to own pkg and reuse for v2
- use Marshal and Unmarshal instead of serializer
- add context for all service methods
- check version and keyid for healthz

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: f19f3f409938ff9ac8a61966e47fbe9c6075ec90
 2022-06-29 20:51:35 +00:00
Anish Ramasekar 8ab3aa3011 feat:(kms) encrypt data with DEK using AES-GCM instead of AES-CBC 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: d54631a41a869f7a28d82fcab2e174ee85879027
 2022-07-13 17:14:50 +00:00
Anish Ramasekar e442eafb33 feat: prepare KMS data encryption for migration to AES-GCM 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Co-authored-by: Monis Khan <mok@vmware.com>
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 90b42f91fd904b71fd52ca9ae55a5de73e6b779a
 2022-03-16 17:54:10 +00:00
Anish Ramasekar 1e3c9bfcdb fix typo in kms encryption config logs 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 63295a126e316fb7b8630dbc57e98041e747cbed
 2021-09-16 18:18:59 +00:00
Stefan Bueringer c8433b21e4 fix staticcheck: vendor/k8s.io/apiserver/pkg/server 
Kubernetes-commit: ed0adcb65e92198177bf23db97807b3312d6be29
 2020-11-17 11:58:13 +01:00
immutablet 209aff3d4b Hide methods in the encryption config that are not used outside the package. 
Kubernetes-commit: 922e0bfaec0a8b25fdb04e559ac454c416f8c2e8
 2020-03-05 16:54:27 -08:00
Shihang Zhang 6207833539 ping kmsplugin gentely when in good state 
Change-Id: I50ce249d7996e5c51dcbb00e53d67300aa72a87f

Kubernetes-commit: c084d57b18a7c90c14bc13dc2daa256e84037a74
 2019-12-02 16:38:03 -08:00
immutablet 5cec6b4746 Add defaulting logic for EncryptionConfiguration. 
Kubernetes-commit: a151aa35dc21881d178e498141e5f58df13fb400
 2019-11-14 22:53:18 -08:00
mengyang02 0da8f30350 replace time.Now().Sub with time.Since 
Kubernetes-commit: 0205215425607a7a390eaa6493033511626bb189
 2019-09-03 20:43:32 +08:00
Han Kang 2b0c93afef rename healthz methodNames to be more consistent w/ present day usages 
Kubernetes-commit: 2e23788fda86c68e7f17cf0b66ee1017594c1055
 2019-08-13 12:42:13 -07:00
immutablet 5faffb9123 Allow kube-apiserver to test the status of kms-plugin. 
Kubernetes-commit: 05fdbb201ffbaff4e92f0899f9e2ca038febb88d
 2019-05-30 11:15:35 -07:00
immutableT 9c474d9c53 require timeout to be greater than zero. 
add unit test to cover timeout behaviour.

Kubernetes-commit: 39aca564749cd92ed1cfec7129eb3f6593549137
 2019-01-04 17:06:07 -08:00
immutableT d9414ee2ab Expose kms timeout value via encryption config. 
Kubernetes-commit: a4dc53cfeb91ee07cedcc6959e88e30cb0c3cca8
 2019-01-03 14:26:57 -08:00
Slava Semushin e2bc8e4617 Introduce kubeapiserver.config.k8s.io/v1 with EncryptionConfiguration and use a standard method for parsing config file. 
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>

Kubernetes-commit: c21cb548e6c7d4ab019fce8a35c9b99c035c2071
 2018-05-02 18:21:38 +02:00
Davanum Srinivas 032ec9d79b Switch to sigs.k8s.io/yaml from ghodss/yaml 
Change-Id: Ic72b5131bf441d159012d67a6a3d87088d0e6d31

Kubernetes-commit: 43f523d405b012fa8d90dd95b667f520e036f6bc
 2018-11-02 16:41:57 -04:00
immutablet e9bce895cf Lazily dial kms-plugin. 
Kubernetes-commit: 07cbf2545f705d0448631f479a18d0b86b7055dc
 2018-09-12 14:56:44 -07:00
Wu Qiang be4ee1ba37 Remove configfile for kms in encryption config 
Kubernetes-commit: 5ae61ed386e3fbc3b7e91d343afadadd52ac027d
 2018-01-26 11:53:24 +00:00
Wu Qiang 580a800cad Only support unix socket for kms gRPC, also add Version method 
Kubernetes-commit: a6368bb04c1100d1dce1c6bf680056882835b395
 2017-12-18 09:29:56 +00:00
Wu Qiang e4061faec3 Fix verify error and address review comments 
Signed-off-by: Wu Qiang <qiang.q.wu@oracle.com>

Kubernetes-commit: 16b04d68b1ae180d61ea4ca06d1c8139c25a652f
 2017-11-15 11:20:12 +08:00
Wu Qiang dbe35e5c4e Update kms provider config for gRPC client service 
Kubernetes-commit: 31fb539f1735debd38e705fcb96a05ea0313c5f5
 2017-11-14 09:05:52 +00:00
Saksham Sharma b9e05868ba Unify cloudprovided and normal KMS plugins 
Kubernetes-commit: 6a4afc897c2ed4fb80f1b6121a06f86bc8095cd8
 2017-09-01 16:37:07 +00:00
Saksham Sharma fe5fc30248 Add cloudprovidedkms provider support 
Kubernetes-commit: 68a32c06b4d69970ac2489ff5177d5703ca604cd
 2017-08-01 23:56:38 +00:00
Saksham Sharma c75b59c1cd Add KMS plugin registry 
Kubernetes-commit: 49989439d7dab525d22b73936d533ae736b50491
 2017-08-01 23:56:38 +00:00
Slava Semushin a2a05bd86f ParseEncryptionConfiguration: simplify code. 
Also improves function name in godoc and many error messages.

Kubernetes-commit: bf51722ffbfa5521b8c516b8751435f004aacacf
 2017-07-28 13:56:11 +00:00
Saksham Sharma 205eddae2b Fix typo in secretbox transformer prefix 
Kubernetes-commit: 2c820c205073ec96acf8c0cf140db2381f377425
 2017-06-15 22:11:39 +00:00
Saksham Sharma f1876a2211 Add configuration for AESCBC, Secretbox encryption 
Add tests for new transformers

Kubernetes-commit: 13073407422c62ee2131968060c85ce8b6488de4
 2017-06-13 20:47:32 +00:00
Saksham Sharma 0b1c13686c Add configuration options for encryption providers 
Add location transformer, config for transformers

Location transformer helps choose the most specific transformer for
read/write operations depending on the path of resource being accessed.

Configuration allows use of --experimental-encryption-provider-config
to set up encryption providers. Only AEAD is supported at the moment.

Add new files to BUILD, AEAD => k8s-aes-gcm

Use group resources to select encryption provider

Update tests for configuration parsing

Remove location transformer

Allow specifying providers per resource group in configuration

Add IdentityTransformer configuration option

Fix minor issues with initial AEAD implementation

Unified parsing of all configurations

Parse configuration using a union struct

Run configuration parsing in APIserver, refactor parsing

More gdoc, fix minor bugs

Add test coverage for combined transformers

Use table driven tests for encryptionconfig

Kubernetes-commit: 9760d00d08ef0619e30a7b1b90fd290cab960069
 2017-06-13 20:47:30 +00:00