Add healthz check for KMS Providers on kube-apiserver.

[immutableT]

What type of PR is this?
/kind feature

What this PR does / why we need it:
When kube-apiserver starts before kms-plugin, kube-apiserver essentially is unable to serve secrets until kms-plugin is up. This inability to process secrets (just after being started) leads to large number of errors and eventually to a restart of kube-apiserver.
To avoid this untested scenario, KMS Provider will install a healthz check on kube-apiserver for the status of kms-plugin.
Therefore, (via a readiness probe) kube-apiserver will be protected from serving requests until kms-plugin becomes available. Thus allowing kube-apiserver properly handle requests for Secrets and Service Accounts.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

KMS Providers will install a healthz check for the status of kms-pluign in kube-apiservers' encryption config. 

[immutableT]

/assign @awly

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[immutableT]

/test pull-kubernetes-bazel-build

[immutableT]

/test pull-kubernetes-bazel-test

[awly]

Could healthz probes be passed over the plugin Endpoint above?

[immutableT]

I assume that you meant to create a dedicated type for healthz probe. If I understood you correctly, the latest commit accomplishes this.

[awly]

I meant adding a healthz RPC to the KMS plugin itself on the gRPC service.
So you could send those healthz requests over KMSConfiguration.Endpoint (the unix socket) instead of a separate new HTTP endpoint

[immutableT]

I think this is a good idea, but my survey of the currently implemented plugins shows that they do not have this functionality yet.
This is something we could add later.

[awly]

Do currently implemented plugins already expose a HTTP endpoint for healthz?
If not, you could put in a healthz grpc endpoint and just skip polling health if it returns "unimplemented" (or whatever error grpc will send).

[immutableT]

Yes, Google CloudKMS Plugin and AWS CloudHSM plugins have implemented healthz. Hence, these plugins could take advantage of this feature right away.

[awly]

Ack, that makes sense then

[awly]

remove empty line

[awly]

So this only happens on kube-apiserver startup, right?
What if kms plugin becomes unhealthy later on? I assume it will just show up as errors from all Secrets operations?

[immutableT]

Yes, this is only to ensure that kube-apiserver comes-up after kms-plugin is reporting healthz OK.
KMS-Plugin may have its own liveness probe.
And yes, kube-apiserver will log and increment failure metrics when the plugin is down.

[awly]

Could this only return the error? If arg parsing fails or if healthz polling fails, return a non-nil error

[immutableT]

Maybe, but I want to deffirentate between the scenarios

1. Healthz could not be checked due to configuration errors - false, error
2. Heathz returned non 200 status - false,nil
3. Healthz return 200 - true,nil

I think this approach fits with the signature of the poll.Wait.

[awly]

Hmm, but shouldn't you retry even if healthz endpoint is unreachable?
For example when KMS plugin starts later than kube-apiserver.
If yes, then there's no difference between non-200 status and any request errors

[immutableT]

Let me step back.
wait.PollImmediate takes a condition function of the following signature:
type ConditionFunc func() (done bool, err error)
Therefore, getHelathz must match that signature.

I think the reason for that signature is that polling status has three potential states:

1. true - we are done ,no need to retry further (kms-plugin OK)
2. false - poll failed, keep retrying (kms-plugin is not up yet)
3. error - got negative status, no need to poll anymore (ex. missing permissions on the key)

[awly]

getHealthz doesn't have to conform to what wait.PollImmediate expects, you can always adapt it with a closure.

I understand the purpose of those separate return values, but my point is: getHealthz should never cause wait.PollImmediate to exit early with an error.
Currently you return non-nil error when response code is not 200. I think kube-apiserver should keep retrying in that case, let the plugin flip response code to 200 later on.
Then KMS plugin can say "i'm up, but not ready to serve requests yet" and kube-apiserver won't crashloop because of it.

[immutableT]

ACK on the signature, you are correct.

Here a scenario:
kube-apiserver polls kms-plugin and the plugin responds with 500 because KMS returned "Key Destroyed Error" (or other non-retriable error). Assuming we use the logic that your propose, kube-apiserver will continue to retry for the duration of the Poll timeout which seems unnecessary to me.

So I see a couple of choices here:

1. Retry until we get either true or poll timeout expires
2. Differentiate between 500(return an error) and 503 (return false, nil)

WDYT?

[awly]

Special-casing 500 and causing it to abort retries immediately sounds fine.
I'm not sure what that achieves though.
It'll cause kube-apiserver to crash and be restarted a few seconds later anyway.

Retries will continue indefinitely (indirectly through kube-apiserver restarts) in any case.

[immutableT]

@awly PTAL - added a case for 500.

I agree that this may not make a lot of difference. However, I don't want to make any assumptions about how kube-apiserver will be restarted (i.e. its restart policy) or whether or not kube-apiserver should crash if kms-plugin is down.
My objective is to stop polling if KMS-Plugin returned a non-retryable error.

[awly]

SGTM, as long as there's some way for KMS plugin implementors to discover this expectation from /healthz

[awly]

c := &http.Client{...

[immutableT]

/assign @liggitt

[fedebongio]

/assign @logicalhan

[immutableT]

/test pull-kubernetes-dependencies

[immutableT]

/test pull-kubernetes-e2e-gce-100-performance

[liggitt]

this seems more like v5, if at all

[immutableT]

Removed.

[liggitt]

we should include the name in the returned error so it is surfaced in healthz details. if we do that, we don't need to separately log the error here. same comment applies to the decrypt call on line 136

[immutableT]

Done, included provider's name into the error message.

[liggitt]

the h captured here by the closure is incorrect, it means if you have multiple checks, they will all test the last iterated config

[liggitt]

add a test with at least two configs and verify the checks exercise the correct KMS

[liggitt]

isn't the first KMS in the list used to encrypt, and subsequent ones to decrypt? would we ever encounter a case where a later KMS would only permit decrypting, so the encrypt("ping") check would fail?

[immutableT]

Fixed the closure bug.
Added integration test for multiple providers' scenario (see, kms_treansformer_test.go TestHealthz.

Yes, theoretically, the scenario you described in the third comment is possible. KMS Administrator may remove "encrypt" IAM privilege from the service account under which the kms-plugin runs once the corresponding provider is moved into the second place - used only for decryption.
In practice, this is unlikely, but we should document this.
Also, there is no generic way to test decryption without providing a valid encryption payload.
I think the long term solution here is to move towards gRPC Health Checking Protocol
https://github.com/grpc/grpc/blob/master/doc/health-checking.md
KMS-Plugin developers may have vendor specific way to ascertain the status of the plugin based on the requested operation type. This is something I would like to add after this PR.

[liggitt]

I wouldn't expect a log here, or if we do, at v(5)

[immutableT]

Removed.

[liggitt]

no logging here?

[immutableT]

Removed.

[immutableT]

/test pull-kubernetes-integration

[liggitt]

looks relevant

E0702 00:03:19.695781  107386 grpc_service.go:71] failed to create connection to unix socket: @kms-provider-2.sock, error: dial unix @kms-provider-2.sock: connect: connection refused
W0702 00:03:19.695822  107386 clientconn.go:1251] grpc: addrConn.createTransport failed to connect to {@kms-provider-2.sock 0  <nil>}. Err :connection error: desc = "transport: Error while dialing dial unix @kms-provider-2.sock: connect: connection refused". Reconnecting...
panic: Conflicting storage tracking

[immutableT]

/test pull-kubernetes-integration
/test pull-kubernetes-bazel-build

[immutableT]

@liggitt Yes, it was relevant - I was missing a call to cleanup Test API Server - fixed.

[liggitt]

/approve

go ahead and squash commits, and fix a couple import and logging nits while you're at it, then lgtm

[liggitt]

do we log on other health check success? wondering when this would be useful

[liggitt]

group imports together

[liggitt]

group google.golang.org imports together

[liggitt]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: immutableT, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiserver/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/pkg/apis/OWNERS [liggitt]
• test/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment