[WIP] Introduce kubeapiserver.config.k8s.io/v1 and use standard method for parsing encryption config file

[php-coder]

What this PR does / why we need it:
This PR reworks handling of the configuration file for encryption at rest. Now it uses a standard approach for parsing and also it supports versioning.

Which issue(s) this PR fixes:
Fixes #61599

[php-coder]

/release-note-none
CC @simo5 @marrrvin

[php-coder]

/sig auth

At this time it doesn't work yet as compilation fails with:

import cycle not allowed
package k8s.io/kubernetes/cmd/hyperkube
	imports k8s.io/kubernetes/cmd/kube-apiserver/app
	imports k8s.io/apiserver/pkg/server/options/encryptionconfig
	imports k8s.io/apiserver/pkg/server/options/encryptionconfig/scheme
	imports k8s.io/apiserver/pkg/server/options/encryptionconfig

@liggitt @smarterclayton We need to move encryption configuration somewhere, but I'm not sure where its place. If we want to use apiserver.config.k8s.io API Group then we should move encryption config to https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/apiserver/pkg/apis/apiserver but it's in v1alpha1 version. I'm not sure that we want and can downgrade api version from v1 to v1alpha1.

How we can handle this?

[php-coder]

@liggitt This type looks suspicious. Did we decide some time ago to always use integers with a fixed size in APIs, do we?

[liggitt]

the field in the external type should be a fixed size int, yes

[php-coder]

I decided to make some functions private, it doesn't relate to my change. Let me know if it's inappropriate change at all or if I should submit it separately.

[liggitt]

there's no real reason to make these private, so let's revert this change.

[php-coder]

@liggitt Do we have a requirement to fully support old format of the config file? Perhaps we should show a warning in this case?

[php-coder]

I assume that no, we don't have such requirement.

[liggitt]

I'm not sure that we want and can downgrade api version from v1 to v1alpha1.

The documentation says to use v1:

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration

Because we were using a non-standard load that ignored version, this wasn't caught before.

I'd actually be in favor of promoting the config version to v1. The types are minimal, there's been no desired changes since it was created, and anyone following our documentation is already using v1.

[php-coder]

I'd actually be in favor of promoting the config version to v1.

@liggitt Do I understand you correctly, that we should do this promotion before moving encryption config there? In other words, we have one more dependency for promoting encryption config to beta.

I'll be able to prepare and submit PR next week.

[php-coder]

I'd actually be in favor of promoting the config version to v1.

I'll be able to prepare and submit PR next week.

Done: #63304

[php-coder]

I'm not sure about this change because v1 has one type and v1alpha1 has others, in other words, these aren't different versions of the same API but different APIs in fact.

[ericchiang]

The admissionregistration seems to do something similar where different versions of the API hold different object.

https://github.com/kubernetes/api/blob/kubernetes-1.10.2/admissionregistration/v1alpha1/register.go#L45-L48
https://github.com/kubernetes/api/blob/kubernetes-1.10.2/admissionregistration/v1beta1/register.go#L45-L50

Any apimachinery folk care to comment here? It looks fine to me.

[php-coder]

I've just casted int32 to int here but let me know if there is a better way or perhaps we should use int32 everywhere.

[php-coder]

Do we have a better way for parsing YAML? I couldn't find a way of getting a scheme.

CC @sttts

[ericchiang]

This is what we do for the audit API policy file

kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go

Line 47 in 484f62a

func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {

[php-coder]

Now we don't need these checks as they will be performed by deserializer.

[php-coder]

This PR makes the old configs unusable. If we have to be backward compatible and you know how to handle such cases, please, share this knowledge with me or, at least, point me to the right direction. Thanks!

[ericchiang]

Definitely needs a release note.

We could try to parse out the kind and apiVersion beforehand, then conditionally use the old parsing logic. Don't know how much work that is.

[sttts]

We can register the types under the legacy core group in the scheme used for decoding. Why is that no option?

[stlaz]

Probably this was just never considered. Would that mean there would be two different API groups for one functionality? Could the legacy one ever be deprecated? Should that be done at a different time than when promoting from alpha to unfortunate stable?

[sttts]

yes, same types, multiple groups. Technically possible.

Good question about deprecation. Formally we will probably have to stick with this forever.

[php-coder]

@liggitt PTAL
@deads2k @sttts Your feedback would be welcomed!

[k8s-ci-robot]

@php-coder: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-bazel-test	7cdc116	link	/test pull-kubernetes-bazel-test
pull-kubernetes-integration	7cdc116	link	/test pull-kubernetes-integration
pull-kubernetes-verify	7cdc116	link	/test pull-kubernetes-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[php-coder]

W0604 14:07:59.325] vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/register.go:49:36: cannot use kubeapiserverconfig.EncryptionConfiguration literal (type *kubeapiserverconfig.EncryptionConfiguration) as type runtime.Object in argument to scheme.AddKnownTypes:

Looks like, I forgot to run some script or maybe I need to "register" a path with new type somewhere so the scripts will pick it up?

I've fixed this by adding doc.go, register.go and install/install.go files for an internal type.

---

At this moment, I faced with another verify import violation:

2018/06/15 10:18:27 Inspecting imports under ./vendor/k8s.io/apiserver/...
2018/06/15 10:18:28 - validating imports for 130 packages in the tree
2018/06/15 10:18:28 -- found forbidden imports for k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission:
2018/06/15 10:18:28 --- k8s.io/kubernetes/pkg/kubeapiserver/apis/kubeapiserverconfig
2018/06/15 10:18:28 -- found forbidden imports for k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/install:
2018/06/15 10:18:28 --- k8s.io/kubernetes/pkg/kubeapiserver/apis/kubeapiserverconfig/v1
2018/06/15 10:18:28 -- found forbidden imports for k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/encryptionconfig:
2018/06/15 10:18:28 --- k8s.io/kubernetes/pkg/kubeapiserver/apis/kubeapiserverconfig/v1
2018/06/15 10:18:28 --- k8s.io/kubernetes/pkg/kubeapiserver/apis/kubeapiserverconfig
2018/06/15 10:18:28 - FAIL

Not sure how to fix it, perhaps, I need to relax this check.

[stlaz]

@liggitt @sttts Would the following patch help moving this PR forward? I have this plus the commits from this PR squashed and rebased on the current (~week old) master in https://github.com/stlaz/kubernetes/tree/slava_encryptconfig. I believe @php-coder won't have much time to carry on with his work on this one.

From ceae7ac28d3a29d064aaccad2c6c59e23b7937d7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 30 Jul 2018 09:22:04 +0200
Subject: [PATCH] Loosen ./vendor/k8s.io/apiserver/ import verification

Loosen ./vendor/k8s.io/apiserver/ import verification so that it allows
imports from k8s.io/pkg/kubeapiserver so that it can use the
EncryptConfiguration objects
---
 hack/import-restrictions.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hack/import-restrictions.yaml b/hack/import-restrictions.yaml
index f9749300a8..f5194bb839 100644
--- a/hack/import-restrictions.yaml
+++ b/hack/import-restrictions.yaml
@@ -79,6 +79,7 @@
   - k8s.io/apiserver
   - k8s.io/client-go
   - k8s.io/kube-openapi
+  - k8s.io/kubernetes/pkg/kubeapiserver
 
 - baseImportPath: "./vendor/k8s.io/metrics/"
   allowedImports:
-- 
2.18.0

[luxas]

This proposal is probably a bit related to this PR: kubernetes/community#2354

[stlaz]

@luxas I finally got to read the design and compare it to this PR.

If I understand the KEP correctly, the kubeapiserver package would eventually get its own repository. That action still needs to be done. Therefore the only implication for this PR right now is that I should move the changes for the staging package to kubernetes/apiserver repository, am I correct?

[luxas]

kubeapiserver package would eventually get its own repository

Yes, eventually, but that's not a near-term goal for that KEP specifically.

Therefore the only implication for this PR right now is that I should move the changes for the staging package to kubernetes/apiserver repository, am I correct?

If this is generic apiserver code I guess it can live in k8s.io/apiserver if it's not I'd prefer k8s.io/kube-apiserver. The k8s.io/apiserver/pkg/apis/config{,v1alpha1} packages are already created FWIW.

[stlaz]

This PR originally implemented the changes as a part of apiserver but after series of decisions the kubeapiserver package was chosen. I'd stick to that unless there is a specific reason to move it back or to kube-apiserver instead.
Also, this is going to be v1 due to #63032 (comment)

[stlaz]

@luxas I just went through the code again, we could probably really go and contain this change just for apiserver since we're not touching neither kube-apiserver nor federation-apiserver codebase. I suspect kubeapiserver/apis/kubeapiserverconfig was chosen simply for the sake of no other better location which now hopefulyl exists with the k8s.io/apiserver/pkg/apis/config you're mentioning. It seems it would be a code-wise cleaner change, too.

[php-coder]

Superseded by #67383

/close

[k8s-ci-robot]

@php-coder: Closing this PR.

Details

In response to this:

Superseded by #67383

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.