Update key rotation guidelines for encryption at rest #39747
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
the
sig/docs
|
/sig security |
k8s-ci-robot
added
the
sig/security
|
Hi. Please rebase this PR against main - there was a breaking change to our CVE feed. |
| The smallest power of 2 for which this equation is satified is $2^{32}$ | ||
|
|
||
| $$1-e^{-\frac{2^{32}}{2^{97}}} \approx 1.164\times{10}^{-10} \leq \frac{1}{2^{32}} \approx 2.32\times{10}^{-10} \leq 1-e^{-\frac{2^{33}}{2^{97}}} \approx 4.656\times{10}^{-10}$$ |
There was a problem hiding this comment.
I tried to solve the formula with k as the unknown and find its value based on p(k) <= 2^32, but couldn't get the result I wanted.
For the record, the logic to solve the birthday paradox with that kind of equation is explained in https://en.wikipedia.org/wiki/Birthday_problem under An upper bound on the probability and a lower bound on the number of people.
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
|
@sftim the math formulas are broken in the preview, do you know how I can fix them? |
We don't support maths formulas. Consider filing a feature request (label it area/web-development)? I don't think enabling these should be hard, as upstream Docsy does have support. |
|
Could you point me to the part of the code I need to modify to support that? I might as well add the feature, while I am at it |
I'm afraid I haven't looked. Try https://www.google.com/search?q="docsy"+math+support |
|
I meant on the k/website side. But I can try to find my way in the repo. |
|
Found it, I will update the PR, thanks for pointing out to docsy |
dgrisonnet
force-pushed
the
aesgcm
branch
2 times, most recently
from
125aeb2
to
4c6e33b
Compare
|
@sftim adding support for scientific formulas is a bit more complex than what I had anticipated. I originally tried enabling KaTeX in config.toml following this docsy documentation: https://www.docsy.dev/docs/adding-content/diagrams-and-formulae/, but for some reasons it didn't work for Kubernetes. I tried on a brand new hugo website and following the steps from the doc worked as expected, so it seems to be specific to Kubernetes. The first thing I noticed is that the website is using an old version of docsy and KaTeX format as changed a bit since then. Here the correct doc for what we are trying to achieve: https://github.com/google/docsy/blob/v0.2.0/userguide/content/en/docs/Adding%20content/diagrams-and-formulae/index.md. But even when following this v0.2.0 doc, the formulas weren't rendered properly and there wasn't any logs/info in the web console that I could help my investigation. While looking into that, I also noticed that Kubernetes website supports So I tried my chance at configuring mermaid via docsy to see if my problem was specific to katex. However after following the doc and enabling mermaid in config.toml. I was greeted by a webpage not rendereding the diagram and the following error in the console: Uncaught ReferenceError: mermaid is not defined
at main.js:197:25
at main.js:200:3197: var settings = norm(mermaid.mermaidAPI.defaultConfig, params);From that observation, my current theory is that enabling docsy plugins such as katex and mermaid in the main config.toml doesn't work in Kubernetes' website special case because the pieces of JS that should be imported in the web pages are not. Do you perhaps have any idea what could cause a conflict that would prevent importing these libraries? As a temporary solution, would it perhaps make sense to create a new shortcode for katex similarly to what we are already doing for mermaid? |
|
The Mermaid bug is #31960 Perhaps we can omit the formulas for this PR and open another PR to add those details as a follow-up? |
👍 it seems a bit different than what I experienced with katex, but the issue might be related.
I am not a fan of omitting the formulas since the goal of this PR is to update the numbers and be transparent about them. Would replacing the raw formulas by screenshots of the markdown rendering be considered good enough for now? |
|
Try using SVG. Did you file an issue about adding support for maths? If not, please do that! |
|
Not yet since I wanted to solve it myself but it turns out to be a bit too complex. I'll do that once I've updated this PR. |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
size/M
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
k8s-ci-robot
removed
the
needs-rebase
|
/retest |
|
I fixed the rendering of the scientific formulas. The latest version of the doc can be found at https://deploy-preview-39747--kubernetes-io-main-staging.netlify.app/docs/tasks/administer-cluster/encrypt-data/. |
|
Thanks for getting this PR ready. Overall, this information about cryptoperiod is not directly part of the task, and there's enough of it that I think we've passed a threshold. I recommend making a new reference page and moving two things there from the existing task page:
That will keep the task page focused on the task. It's OK to retain a summary of the providers in the task page; in fact I recommend it. The URL of the new page could be https://kubernetes.io/docs/reference/encryption/at-rest-api/ |
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@dgrisonnet we'd like to have these changes, if you've got the capacity to update given the v1.27 release |
|
A couple of things piled up, but I'll try to finish that work asap |
|
/assign @enj @smarterclayton could you review this when you get a chance? |
|
@dgrisonnet , |
|
Hello @dgrisonnet , we'd like to see this change merged. Would you have the capacity to work on this PR? Please let us know by 25th August, 2023, failing which we shall be closing the PR. |
|
Hi @divya-mohan0209, thank you for the reminder, I'll try to work on it again in the upcoming weeks. |
|
Thank you for confirming @dgrisonnet |
|
Hi @dgrisonnet , do you have some time to rebase this PR as there is a merge conflict. |
|
Hi @dgrisonnet . |
|
@kbhawkey: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add general guidelines for keys rotations and update the write-based requirements for
aesgcmfrom200 000to2^32. In addition to that, the documentation now includes a complete explanation of the logic behind these numbers.Fixes #39477