You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/blog/_posts/2022-08-03-kms-v2-alpha.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
-
# Kubernetes 1.25: KMS v2 Improvements
1
+
# Kubernetes v1.25: KMS v2 Improvements
2
2
3
3
**Authors:** Anish Ramasekar, Rita Zhang, Mo Khan, and Xander Grzywinski (Microsoft)
4
4
5
-
With Kubernetes 1.25, we are introducing a new `v2alpha1` version of the Key Management Service (KMS) API. There are a lot of improvements in the works, and we're excited to be able to launch the alpha version with Kubernetes 1.25!
5
+
With Kubernetes v1.25, we are introducing a new `v2alpha1` version of the Key Management Service (KMS) API. There are a lot of improvements in the works, and we're excited to be able to start down the path of a new and improved KMS!
6
6
7
7
## What is KMS?
8
8
One of the first things to consider when securing a Kubernetes cluster is encrypting etcd data at rest. KMS provides an interface for a provider to utilize a key stored in an external key service to perform this encryption.
@@ -17,7 +17,7 @@ While the original v1 implementation has been successful in helping Kubernetes u
17
17
1.**Health Check & Status:** Today the `kube-apiserver` uses encrypt and decrypt calls as a proxy to determine if the KMS plugin is healthy. These operations cost money with cloud services, and do not provide a holistic view of the service's health.
18
18
1.**Observability:** Without some kind of trace ID, it's currently difficult to correlate events found in the various logs across `kube-apiserver`, KMS, and KMS plugins.
19
19
20
-
The KMS v2 enhancement attempts to address all of these shortcomings (not all planned features are implemented in the initial alpha release in Kubernetes 1.25):
20
+
The KMS v2 enhancement attempts to address all of these shortcomings (not all planned features are implemented in the initial alpha release in Kubernetes v1.25):
21
21
22
22
1. Support KMS plugins that use a key hierarchy to reduce network requests made to the remote vault. To learn more, check out the [details for how a KMS plugin can leverage key hierarchy](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements#key-hierachy).
23
23
1. Extra metadata is now tracked to allow a KMS plugin to communicate what key it is currently using with the `kube-apiserver`, allowing for rotation without API server restart. Data stored in etcd follows a more standard proto format to allow external tools to observe its state. To learn more, check out the [details for metadata](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements#metadata).
@@ -76,7 +76,7 @@ sequenceDiagram
76
76
```
77
77
78
78
## What’s next?
79
-
For Kubernetes 1.26, we plan to ship another alpha version. As of right now, the alpha API will be ready to be used by KMS plugin authors. We plan to include a reference plugin implementation with the next release, and you'll be able to try out the feature at that time.
79
+
For Kubernetes v1.26, we plan to ship another alpha version. As of right now, the alpha API will be ready to be used by KMS plugin authors. We plan to include a reference plugin implementation with the next release, and you'll be able to try out the feature at that time.
80
80
81
81
You can learn more about KMS v2 by reading the [kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/). You can also follow along on the [KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3299-kms-v2-improvements/README.md) to track progress across the coming Kubernetes releases.
0 commit comments