Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-108

[TP] Support Kube KMS Integration in OCP (User-Provided)

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 33% To Do, 33% In Progress, 33% Done
    • 0
    • Program Call

      Feature Overview

      This feature aims to enable customers of OCP to integrate 3rd party KMS solutions for encrypting etcd values at rest in accordance with:

      https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

      Goals

      • Bring KMS v2 API to beta|stable level
      • Create/expose mechanisms for customers to plug in containers/operators which can serve the API server's needs (can it be an operator, something provided via CoreOS layering, vanilla container spec provided to API server operator?)
      • Provide similar UX experience for all of self-hosted, hypershift, SNO scenarios
      • Provide example container/operator for the mechanism

      General Prioritization for the Feature

      1. Approved design for detection & actuation for stand-alone OCP clusters.
        1. How to detect a problem like an expired/lost key and no contact with the KMS provider?
        2. How to inform/notify the situation, even at node level, of the situation
      2. Tech Preview (Feature gated) enabling Kube-KMS v2 for partners to start working on KMS plugin provider integrations:
        1. Cloud: (priority Azure > AWS > Google)
          1. Azure KMS
          2. Azure Dedicated HSM
          3. AWS KMS
          4. AWS CloudHSM
          5. Google Cloud HSM
        2. On-premise:
          1. HashiCorp Vault
          2. EU FSI & EU Telco KMS/HSM top-2 providers
      3. GA after at least one stable KMS plugin provider

            racedoro@redhat.com Ramon Acedo
            scuppett@redhat.com Stephen Cuppett
            Amy Fredj, Anjali Telang, Maria Simon Marcos
            Andrea Hoffer Andrea Hoffer
            David Eads David Eads
            Votes:
            5 Vote for this issue
            Watchers:
            32 Start watching this issue

              Created:
              Updated: