Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2598

[DP] Support Kube KMS Integration in OCP (User-Provided)

XMLWordPrintable

    • Product / Portfolio Work
    • OCPSTRAT-1782OpenShift integration with external secret managers (Vault)
    • Hide
      • Color Status: Yellow
      • Status Summary:
        • The team has attempted to slim down the feature effort so that it is just a very limited release that can be used to preview encryption and has resulted in this feature being added
      • Risks:
        • Still questions about whether this can feasibly work end to end given the very limited timeframe that our engineering team has available ahead of feature branch
      Show
      Color Status: Yellow Status Summary: The team has attempted to slim down the feature effort so that it is just a very limited release that can be used to preview encryption and has resulted in this feature being added Risks: Still questions about whether this can feasibly work end to end given the very limited timeframe that our engineering team has available ahead of feature branch
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None
    • None

      Feature Overview

      This feature aims to enable customers of OCP to integrate 3rd party KMS solutions for encrypting etcd values at rest in accordance with:

      https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

      This feature tracks a DEV PREVIEW release, ahead of tech preview.

      Goals

      • Bring KMS v2 API to beta|stable level
      • Create/expose mechanisms for customers to plug in containers/operators which can serve the API server's needs (can it be an operator, something provided via CoreOS layering, vanilla container spec provided to API server operator?)
      • Provide similar UX experience for all of self-hosted, hypershift, SNO scenarios
      • Provide example container/operator for the mechanism

      General Prioritization for the Feature

      1. Approved design for detection & actuation for stand-alone OCP clusters.
        1. How to detect a problem like an expired/lost key and no contact with the KMS provider?
        2. How to inform/notify the situation, even at node level, of the situation
      2. Tech Preview (Feature gated) enabling Kube-KMS v2 for partners to start working on KMS plugin provider integrations:
        1. Cloud: (priority Azure > AWS > Google)
          1. Azure KMS
          2. Azure Dedicated HSM
          3. AWS KMS
          4. AWS CloudHSM
          5. Google Cloud HSM
        2. On-premise:
          1. HashiCorp Vault
          2. EU FSI & EU Telco KMS/HSM top-2 providers
      3. GA after at least one stable KMS plugin provider

              krizza@redhat.com Kevin Rizza
              racedoro@redhat.com Ramon Acedo
              None
              Anjali Telang
              Flavian Missi Flavian Missi
              Rahul Gangwar Rahul Gangwar
              Andrea Hoffer Andrea Hoffer
              Kyle Walker Kyle Walker
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: