Skip to content

Latest commit

 

History

History
109 lines (96 loc) · 5.38 KB

using-barbican-kms-plugin.md

File metadata and controls

109 lines (96 loc) · 5.38 KB

Table of Contents generated with DocToc

OpenStack Barbican KMS Plugin

Kubernetes supports to encrypt etcd data with various providers listed here, one of which is kms. The Kubernetes kms provider uses envelope encryption scheme. The data is encrypted using DEK's by kubernetes kms provider, DEK's are encrypted by kms plugin (e.g. barbican) using KEK. Barbican-kms-plugin uses key from barbican to encrypt/decrypt the DEK's as requested by kubernetes api server. The KMS provider uses gRPC to communicate with a specific KMS plugin.

It is recommended to read following kubernetes documents

Installation Steps

The following installation steps assumes that you have a Kubernetes cluster(v1.10+) running on OpenStack Cloud.

  1. Create 256bit(32 byte) cbc key and store in barbican
$ openstack secret order create --name k8s_key --algorithm aes --mode cbc --bit-length 256 --payload-content-type=application/octet-stream key
+----------------+-----------------------------------------------------------------------+
| Field          | Value                                                                 |
+----------------+-----------------------------------------------------------------------+
| Order href     | http://hostname:9311/v1/orders/e477a578-4a46-4c3f-b071-79e220207b0e  |
| Type           | Key                                                                  |
| Container href | N/A                                                                  |
| Secret href    | None                                                                 |
| Created        | None                                                                 |
| Status         | None                                                                 |
| Error code     | None                                                                 |
| Error message  | None                                                                 |
+----------------+----------------------------------------------------------------------+
  1. Get the Key Id, It is the uuid in Secret href
$ openstack secret order get http://hostname:9311/v1/orders/e477a578-4a46-4c3f-b071-79e220207b0e
 +----------------+-----------------------------------------------------------------------+
| Field          | Value                                                                 |
+----------------+-----------------------------------------------------------------------+
| Order href     | http://hostname:9311/v1/orders/e477a578-4a46-4c3f-b071-79e220207b0e   |
| Type           | Key                                                                   |
| Container href | N/A                                                                   |
| Secret href    | http://hostname:9311/v1/secrets/b5309dfb-b326-4148-b0ad-e9cd1ec223a8  |
| Created        | 2018-10-10T06:29:56+00:00                                             |
| Status         | ACTIVE                                                                |
| Error code     | None                                                                  |
| Error message  | None                                                                  |
+----------------+-----------------------------------------------------------------------+
  1. Add the key-id in your cloud-config file
[Global]
username = <username>
password = <password>
domain-name = <domain-name>
auth-url =  <keystone-url>
tenant-id = <project-id>
region = <region>

[KeyManager]
key-id = <key-id>
  1. Clone the cloud-provider-openstack repo and build the docker image for barbican-kms-plugin in architecture amd64
$ git clone https://github.com/kubernetes/cloud-provider-openstack.git $GOPATH/k8s.io/src/
$ cd $GOPATH/k8s.io/src/cloud-provider-openstack/
$ export ARCH=amd64
$ export VERSION=latest
$ make image-barbican-kms-plugin
  1. Run the KMS Plugin in docker container
$ docker run -d --volume=/var/lib/kms:/var/lib/kms \
--volume=/etc/kubernetes:/etc/kubernetes \
-e socketpath=/var/lib/kms/kms.sock \
-e cloudconfig=/etc/kubernetes/cloud-config \
docker.io/k8scloudprovider/barbican-kms-plugin-amd64:latest
  1. Create /etc/kubernetes/encryption-config.yaml
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - secrets
    providers:
    - kms:
        name : barbican
        endpoint: unix:///var/lib/kms/kms.sock
        cachesize: 100
    - identity: {}
  1. Enable --experimental-encryption-provider-config flag in kube-apiserver and restart it.
--experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yaml

Verify

Verify the secret data is encrypted