Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-108

[TP] Support Kube KMS Integration in OCP (User-Provided)

XMLWordPrintable

    • Product / Portfolio Work
    • OCPSTRAT-1782OpenShift integration with external secret managers (Vault)
    • Hide
      • Color Status: Green
      • Status Summary:
        • The team has reduced scope and is attempting to get a dev preview version available in the 4.21 timeframe.
        • That new effort is being tracked here https://issues.redhat.com/browse/OCPSTRAT-2598 
        • Moving the tech preview release to 4.22
      • Risks:
        • n/a
      Show
      Color Status: Green Status Summary: The team has reduced scope and is attempting to get a dev preview version available in the 4.21 timeframe. That new effort is being tracked here https://issues.redhat.com/browse/OCPSTRAT-2598   Moving the tech preview release to 4.22 Risks: n/a
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None
    • None

      Feature Overview

      This feature aims to enable customers of OCP to integrate 3rd party KMS solutions for encrypting etcd values at rest in accordance with:

      https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

      Goals

      • Bring KMS v2 API to beta|stable level
      • Create/expose mechanisms for customers to plug in containers/operators which can serve the API server's needs (can it be an operator, something provided via CoreOS layering, vanilla container spec provided to API server operator?)
      • Provide similar UX experience for all of self-hosted, hypershift, SNO scenarios
      • Provide example container/operator for the mechanism

      General Prioritization for the Feature

      1. Approved design for detection & actuation for stand-alone OCP clusters.
        1. How to detect a problem like an expired/lost key and no contact with the KMS provider?
        2. How to inform/notify the situation, even at node level, of the situation
      2. Tech Preview (Feature gated) enabling Kube-KMS v2 for partners to start working on KMS plugin provider integrations:
        1. Cloud: (priority Azure > AWS > Google)
          1. Azure KMS
          2. Azure Dedicated HSM
          3. AWS KMS
          4. AWS CloudHSM
          5. Google Cloud HSM
        2. On-premise:
          1. HashiCorp Vault
          2. EU FSI & EU Telco KMS/HSM top-2 providers
      3. GA after at least one stable KMS plugin provider

        1. kms-design.png
          kms-design.png
          202 kB

              racedoro@redhat.com Ramon Acedo
              racedoro@redhat.com Ramon Acedo
              None
              Anjali Telang
              Ben Luddy Ben Luddy
              Rahul Gangwar Rahul Gangwar
              Andrea Hoffer Andrea Hoffer
              Kyle Walker Kyle Walker
              Votes:
              9 Vote for this issue
              Watchers:
              37 Start watching this issue

                Created:
                Updated: