kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Library for writing a Kubernetes-style API server.
715 Commits 30 Branches 1,482 Tags 31 MiB
Go 99.8%
Shell 0.2%
Go to file
Kubernetes Publisher a8a9cf8e45 Merge pull request #48574 from sakshamsharma/kms-transformer 
Automatic merge from submit-queue

Add Google cloud KMS service for envelope encryption transformer

This adds the required pieces which will allow addition of KMS based encryption providers (envelope transformer).

For now, we will be implementing it using Google Cloud KMS, but the code should make it easy to add support for any other such provider which can expose Decrypt and Encrypt calls.

Writing tests for Google Cloud KMS Service may cause a significant overhead to the testing framework. It has been tested locally and on GKE though.

Upcoming after this PR:
* Complete implementation of the envelope transformer, which uses LRU cache to maintain decrypted DEKs in memory.
* Track key version to assist in data re-encryption after a KEK rotation.

Development branch containing the changes described above: https://github.com/sakshamsharma/kubernetes/pull/4

Envelope transformer used by this PR was merged in #49350 

Concerns #48522 

Planned configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - secrets
    providers:
    - kms:
        cachesize: 100
        configfile: gcp-cloudkms.conf
        name: gcp-cloudkms
    - identity: {}
```

gcp-cloudkms.conf:
```
[GoogleCloudKMS]
    kms-location: global
    kms-keyring: google-container-engine
    kms-cryptokey: example-key
```

Kubernetes-commit: 0d17e9deb7188bc79d905cb4ef6911c0a27adc59
 		2017-08-29 11:11:11 -07:00
Godeps Merge pull request #51511 from huangjiuyuan/fix-func-comment 2017-09-01 16:37:07 +00:00
hack handle resetting godep.json for resync 2017-02-23 11:14:39 -05:00
pkg Unify cloudprovided and normal KMS plugins 2017-09-01 16:37:07 +00:00
plugin/pkg remove dead code for cloner 2017-08-29 13:16:15 +00:00
vendor Merge pull request #51154 from RenaudWasTaken/gRPC-updated-1-3-0 2017-08-29 13:18:47 +00:00
.import-restrictions move pkg/auth/user to staging 2017-01-13 13:38:43 -05:00
LICENSE add readme and license 2017-01-13 13:29:55 -05:00
OWNERS Add enj as reviewer to OWNERS 2017-08-29 13:16:16 +00:00
README.md Fix typo 2017-06-12 15:48:41 -04:00

README.md

apiserver

Generic library for building a Kubernetes aggregated API server.

Purpose

This library contains code to create Kubernetes aggregation server complete with delegated authentication and authorization, kubectl compatible discovery information, optional admission chain, and versioned types. It's first consumers are k8s.io/kubernetes, k8s.io/kube-aggregator, and github.com/kubernetes-incubator/service-catalog.

Compatibility

There are NO compatibility guarantees for this repository, yet. It is in direct support of Kubernetes, so branches will track Kubernetes and be compatible with that repo. As we more cleanly separate the layers, we will review the compatibility guarantee. We have a goal to make this easier to use in 2017.

Where does it come from?

apiserver is synced from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver. Code changes are made in that location, merged into k8s.io/kubernetes and later synced here.

Things you should NOT do

  1. Directly modify any files under pkg in this repo. Those are driven from k8s.io/kuberenetes/staging/src/k8s.io/apiserver.
  2. Expect compatibility. This repo is changing quickly in direct support of Kubernetes and the API isn't yet stable enough for API guarantees.