Hello 👋🏻
As part of Kubernetes 1.25 enhancement we (sig-auth kms wg) are proposing a new v2alpha1 KeyManagementService service contract to:
- enable fully automated key rotation for the latest key
- improve KMS plugin health check reliability
- improve observability of envelop operations between kube-apiserver, KMS plugins and KMS
This is the doc that documents the limitations with the current KMS v1 API.
In addition, we are also proposing a SIG-Auth maintained KMS plugin reference implementation. This implementation will support a key hierarchy design that implements the v2alpha1 API and will serve as a baseline that provides:
- improve readiness times for clusters with a large number of encrypted resources
- reduce the likelihood of hitting the external KMS request rate limit
- metrics and tracing support
We have a KEP open for this proposal that details the changes and design: kubernetes/enhancements#3302
Call to action
We are looking for feedback on the proposed changes in the KEP from all the plugin authors who are currently using the KMS v1 API. Please review the proposal and comment on the PR if there are any questions/concerns with the proposed design.
Hello 👋🏻
As part of Kubernetes 1.25 enhancement we (sig-auth kms wg) are proposing a new v2alpha1
KeyManagementServiceservice contract to:This is the doc that documents the limitations with the current KMS v1 API.
In addition, we are also proposing a SIG-Auth maintained KMS plugin reference implementation. This implementation will support a key hierarchy design that implements the v2alpha1 API and will serve as a baseline that provides:
We have a KEP open for this proposal that details the changes and design: kubernetes/enhancements#3302
Call to action
We are looking for feedback on the proposed changes in the KEP from all the plugin authors who are currently using the KMS v1 API. Please review the proposal and comment on the PR if there are any questions/concerns with the proposed design.