Support for Encrypted Images in Kubernetes

[harche]

Enhancement Description

• One-line enhancement description (can be used as a release note): Support for Encrypted Images in Kubernetes
• Kubernetes Enhancement Proposal: Add Image Decryption KEP #1066
• WIP PR - [WIP] Adding support for encrypted container images  kubernetes#78975
• Primary contact (assignee): @harche
• Responsible SIGs: sig-node sig-architecture
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.17
  • Beta release target (x.y): 1.18 or later
  • Stable release target (x.y): 1.19 or later

/sig node
/sig architecture

[harche]

/sig node
/sig architecture

[harche]

/cc @tallclair

[kacole2]

/stage alpha
/milestone v1.16

Hi @@harche, I'm the 1.16 Enhancement Lead. I've added this to the 1.16 Tracking Spreadsheet.

Once coding begins or if it already has, please list all relevant k/k PRs in this issue so they can be tracked properly.

As a reminder, every enhancement requires a KEP in an implementable state with Graduation Criteria explaining each alpha/beta/stable stages requirements.

Milestone dates are Enhancement Freeze 7/30 and Code Freeze 8/29.

[harche]

Thanks @kacole2

[kacole2]

@harche this is a reminder that Enhancement Freeze is tomorrow and this keep needs to be merged by EOD. Thanks

[harche]

@kacole2 After the discussion in the sig-node call last Tuesday it was suggested that we should target 1.17 instead of 1.16 for this feature.

[kacole2]

/milestone v1.17

[mrbobbytables]

Hey there @harche -- 1.17 Enhancements lead here. I wanted to check in and see if you think this Enhancement will be graduating to alpha in 1.17?

Just a reminder that for it to be accepted -- the KEP must be merged, in an implementable state and have both a test plan and graduation criteria defined before the Enhancement Freeze.

The current release schedule is:

Monday, September 23 - Release Cycle Begins
Tuesday, October 15, EOD PST - Enhancements Freeze
Thursday, November 14, EOD PST - Code Freeze
Tuesday, November 19 - Docs must be completed and reviewed
Monday, December 9 - Kubernetes 1.17.0 Released

If you do, once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

[jeremyrickard]

👋 Hey @harche, enhancements team here! We wanted to check in again and see if you're still targeting 1.17 for this? The enhancements freeze is right around the corner (EOD PT, October 15th) and you''ll need to have your KEP merged by then. It looks like you're still waiting on some reviews?

[lumjjb]

Yea - we are... unfortunately there seems to be some delay on getting the api review started :(. We have been trying to reach out the the reviewers on #1066. But no progress yet. Fingers crossed.

[jeremyrickard]

@lumjjb - Unfortunately the deadline for the 1.17 Enhancement freeze has passed and the KEP is still not merged. For now this is being removed from the milestone and 1.17 tracking sheet. If there is a need to get this in, please file an enhancement exception.

[jeremyrickard]

/milestone clear

[lumjjb]

Thanks @jeremyrickard for the followup! Should hopefully meet the deadline for 1.18!

[kikisdeliveryservice]

Hey there @lumjjb @harche -- 1.18 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating to alpha|beta|stable in 1.18?
The current release schedule is:
Monday, January 6th - Release Cycle Begins
Tuesday, January 28th EOD PST - Enhancements Freeze
Thursday, March 5th, EOD PST - Code Freeze
Monday, March 16th - Docs must be completed and reviewed
Tuesday, March 24th - Kubernetes 1.18.0 Released
To be included in the release, this enhancement must have a merged KEP in the implementable status. The KEP must also have graduation criteria and a Test Plan defined.
If you would like to include this enhancement, once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍
We'll be tracking enhancements here: http://bit.ly/k8s-1-18-enhancements
Thanks!

[harche]

@kikisdeliveryservice this enhancement will not be graduating in 1.18.

[kikisdeliveryservice]

thanks @harche !

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[palnabarun]

/remove-lifecycle stale

[kikisdeliveryservice]

Hi @harche @lumjjb !

1.19 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

The KEP PR must be merged in an implementable state
The KEP must have test plans
The KEP must have graduation criteria.

The current release schedule is:

Monday, April 13: Week 1 - Release cycle begins
Tuesday, May 19: Week 6 - Enhancements Freeze
Thursday, June 25: Week 11 - Code Freeze
Thursday, July 9: Week 14 - Docs must be completed and reviewed
Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

Please let me know and I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

[harche]

@kikisdeliveryservice We aren't targeting 1.19 at for this enhancement.

[kikisdeliveryservice]

thanks for the update @harche !

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[palnabarun]

/remove-lifecycle stale

[kikisdeliveryservice]

Hi @harche

Enhancements Lead here. Any plans for this in 1.20?

Thanks!
Kirsten

[harche]

@kikisdeliveryservice thanks for reaching out. We aren't planning this for 1.20.

[harche]

I am going to close this for now. If we ever decide to revive this in future, I will reopen this issue.

[danmx]

Hi, what's the status and do you need any help?

[lumjjb]

Hi @danmx ! Currently, the enablement of the feature in crio/containerd is via an operator: https://github.com/IBM/k8s-enc-image-operator

This is a talk we did at kubecon a while back: https://kccnceu20.sched.com/event/Zepc, has a demo and some more info.

There is definitely potential for more native support and per service account/namespace decryption, but there hasn't been an ask for it yet.