@jcbsmpsn @kubernetes/sig-auth-feature-requests can you describe us why the feature has been proposed only today (less than in 24 hours before the release cut), and why it hasn't been discussed before during the release cycle?

cc @jdumars

cc @thockin

@idvoretskyi This issue is for 1.10, two cycles out. The 1.8 related code was merged alpha associated with this proposal. There is enough work associated with this feature that we want it to have it's own issue going forward.

I've updated the description to say the alpha release target is 1.9, to avoid any confusion.

@jcbsmpsn much clearer now. Thanks

Do you have a plan how to address kubernetes/kubernetes#51965 which is a beta graduation requirement?
I hope we don't go ahead and add many of these into core as they should be ripped out anyway.

Do you have a plan how to address kubernetes/kubernetes#51965 which is a beta graduation requirement?
I hope we don't go ahead and add many of these into core as they should be ripped out anyway.

We need more than one significant example to design a good external API. We're going to move forward with https://github.com/kubernetes/community/pull/888 to gain that experience and then the next one will have enough examples to draw upon for a reasonable external API attempt.

@deads2k So the proposal is:
Google KMS v1.8, Vault v1.9 => alpha, in-tree
Generic out-of-tree interface v1.10 => beta

• In-tree providers (Google KMS, Vault) are removed from core and converted to implement the generic interface in their respective homes (code-wise).

That sounds good to me

cc @immutablet

@kubernetes/sig-auth-feature-requests @kksriram Someone please update the schedule for this feature.

@jcbsmpsn Did you mean for this to specifically track an integration that enables use of Google's KMS to encrypt secrets at rest?

51965 outlined a proposal for abstracting KMS providers and #55684 implemented as an alpha feature in 1.10 that generic interface.

If this is specific to using Google KMS, then perhaps @immutableT this is the issue tracking your implementation of the #55684 provider for Google KMS? In any case, would that implementation ship with Kubernetes?

@kksriram Implementation of Google KMS gRPC Plugin will not ship with Kubernetes, instead, it will be made available in a separate repo under GoogleCloudPlatform.

@immutableT Does that GCP repository exist / is public yet?

Yes,
https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin/

I will be adding deployment instructions soon (after 61862 is approved).

@cjcullen @bgrant0607 @kksriram @kubernetes/sig-auth-feature-requests
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

• Description
• Milestone
• Assignee(s)
• Labels:
  
  
  
  • stage/{alpha,beta,stable}
  
  
  • sig/*
  
  
  • kind/feature
  
  

cc @idvoretskyi

Kubernetes KMS Plugin for Azure Key Vault: https://github.com/Azure/kubernetes-kms
cc @khenidak

Citadel: Turn an arbitrary command into a Kubernetes Key Management Service GRPC server

https://github.com/enj/citadel

Kubernetes SIG Auth 2018-04-04 Demo (~6 minutes): https://youtu.be/2zJf_g0PJ6s

@npmccallum

Hi - checking in, I believe this is currently in Alpha in 1.10. Will this go Beta in 1.11?

@mayakacz nope, it did not make Beta in 1.11 please see https://github.com/kubernetes/kubernetes/issues/61420

Kubernetes KMS plugin for HashiCorp Vault : https://github.com/oracle/kubernetes-vault-kms-plugin
@vineet-garg @wu-qiang

This feature current has no milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

• One-line feature description (can be used as a release note):
• Primary contact (assignee):
• Responsible SIGs:
• Design proposal link (community repo):
• Link to e2e and/or unit tests:
• Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
• Approver (likely from SIG/area to which feature belongs):
• Feature target (which target equals to which milestone):
  
  
  
  • Alpha release target (x.y)
  
  
  • Beta release target (x.y)
  
  
  • Stable release target (x.y)
  
  

Set the following:

• Description
• Assignee(s)
• Labels:
  
  
  
  • stage/{alpha,beta,stable}
  
  
  • sig/*
  
  
  • kind/feature
  
  

Once this feature is appropriately updated, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12.

Please note that Features Freeze is tomorrow, July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

• Docs deadline (open placeholder PRs): 8/21
• Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

P.S. This was sent via automation

Will this make it to Beta in 1.12?
From sig-auth on 7/11, it sounded like this was missing (1) a release shepherd and (2) feedback on implementation.
(1) Is anyone owning pushing this forward?
(2) We now have several implementations:

• Google Cloud KMS: https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin/
• Microsoft Azure Key Vault: https://github.com/Azure/kubernetes-kms
• AWS KMS: https://github.com/kubernetes-sigs/aws-encryption-provider
• HashiCorp Vault: https://github.com/oracle/kubernetes-vault-kms-plugin
  Does anyone have feedback to share on this?

Thanks!

I'm tentatively adding beta to v1.12 milestone.

@mayakacz we have someone looking into possibly adding a kms provider using OpenStack Barbican https://github.com/kubernetes/cloud-provider-openstack/issues/44

@mikedanese @dims I've added this to the 1.12 tracking sheet.
@justaugustus please assign the appropriate labels

Done.
cc: @kacole2 @wadadli @robertsandoval @rajendar38

/assign @jcbsmpsn

Hey there! @jcbsmpsn I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

@jcbsmpsn @cjcullen --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

Here's the docs PR:

https://github.com/kubernetes/website/pull/10230

cc @immutableT

Hi folks,
Kubernetes 1.13 is going to be a 'stable' release since the cycle is only 10 weeks. We encourage no big alpha features and only consider adding this feature if you have a high level of confidence it will make code slush by 11/09. Are there plans for this enhancement to graduate to beta/stable within the 1.13 release cycle? If not, can you please remove it from the 1.12 milestone or add it to 1.13?

We are also now encouraging that every new enhancement aligns with a KEP. If a KEP has been created, please link to it in the original post. Please take the opportunity to develop a KEP.

@cjcullen @jcbsmpsn just checking in on @ameukam's post if this plans to graduate for 1.13.

This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:

• Docs (open placeholder PRs): 11/8
• Code Slush: 11/9
• Code Freeze Begins: 11/15
• Docs Complete and Reviewed: 11/27

/milestone clear

I think this graduated to stable in v1.13, so can we close this issue now?

@jcbsmpsn Hello - I’m the enhancement’s lead for 1.14 and I’m checking in on this issue to see what work (if any) is being planned for the 1.14 release. Enhancements freeze is Jan 29th and I want to remind that all enhancements must have a KEP

yes, this was addressed by the KMS integration point and promoted in 1.13

/close

@liggitt: Closing this issue.