Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1638

[GA] Support Kube KMS Integration in OCP (User-Provided)

XMLWordPrintable

    • Product / Portfolio Work
    • OCPSTRAT-1782OpenShift integration with external secret managers (Vault)
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None
    • None

      Feature Overview

      This feature aims to enable customers of OCP to integrate 3rd party KMS solutions for encrypting etcd values at rest in accordance with: https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

      This feature makes the feature GA after the Tech Preview released with OCPSTRAT-108 

      OpenShift Enhancement 

      https://github.com/openshift/enhancements/pull/1872

      Goals

      • Adopt KMS v2 Plugin Interface: Implement the feature using the Kubernetes KMS v2 protocol only.
      • Automatically deploy, monitor, and manage the lifecycle of the necessary KMS plugin pods to establish communication between the OpenShift API server and the external Key Management Service (KMS).
      • Expose User Interface: Extend the APIServer configuration to be the single source of truth for KMS. encryption and connection details.
      • Provide similar UX experience for all of self-hosted, HyperShift, SNO scenarios.
      • Ensure Resilience: Implement mechanisms (e.g., in-memory DEK caching) to handle encryption and decryption during temporary KMS outages.

      General Prioritization for the Feature

      1. KMS plugins management:
        Automatically deploy, monitor, and manage the lifecycle of the necessary KMS plugin pods to establish communication between the OpenShift API server and the external Key Management Service (KMS).
      2. Approved design for detection & actuation for stand-alone OCP clusters.
        1. Monitor KMS State: Provide users with the means to monitor the state of the KMS plugins and the KMS itself.
        2. Report Status Clearly: Surface KMS plugin status and key rotation progress via Conditions in the APIServer CR's Status.
      3. GA with the following providers

              racedoro@redhat.com Ramon Acedo
              racedoro@redhat.com Ramon Acedo
              None
              Amy Fredj, Anjali Telang
              None
              Rahul Gangwar Rahul Gangwar
              Courtney Bippley Courtney Bippley
              Kyle Walker Kyle Walker
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: