- Release Signoff Checklist
- Summary
- Motivation
- Proposal
- Design Details
- Production Readiness Review Questionnaire
- Implementation History
- Drawbacks
- Alternatives
Items marked with (R) are required prior to targeting to a milestone / release.
- (R) Enhancement issue in release milestone, which links to KEP dir in kubernetes/enhancements (not the initial KEP PR)
- (R) KEP approvers have approved the KEP status as
implementable - (R) Design details are appropriately documented
- (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
- e2e Tests for all Beta API Operations (endpoints)
- (R) Ensure GA e2e tests for meet requirements for Conformance Tests
- (R) Minimum Two Week Window for GA e2e tests to prove flake free
- (R) Graduation criteria is in place
- (R) all GA Endpoints must be hit by Conformance Tests
- (R) Production readiness review completed
- (R) Production readiness review approved
- "Implementation History" section is up-to-date for milestone
- User-facing documentation has been created in kubernetes/website, for publication to kubernetes.io
- Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
The secrets-store-csi-driver project provides a portable method for applications to consume secrets from external secret APIs through the filesystem. This effort was added to the sig-auth subproject in February 2020 and currently there are providers for Azure, AWS, GCP, and HashiCorp Vault. All the providers for the driver are out-of-tree. This KEP intends to cover making the core functionality of the driver GA.
- Signal the stability of the driver interface and implementation for the core task of making secrets available to pod filesystem.
- Extending the Kubernetes Secret object
- Introduce a new Kubernetes type
- Consume only: The proposed CRD and implementation does not provide a way to add/write/edit secrets in the external stores.
This project introduces a new Container Storage Interface (CSI) driver for fetching secrets and writing to a tmpfs mount in the Pod filesystem. The driver is deployed as a DaemonSet. A new Custom Resource Definition (CRD) called a SecretProviderClass is introduced that informs the driver of which external secret storage API to contact and how to map the secrets from those APIs to file paths. The driver communicates with the external secret provider processes through a gRPC interface over a Unix Domain Socket.
- Application reads secret from filesystem on startup
- Application watches secret for rotation
- Application Pod YAML remains unchanged and works across secret providers
Since the proposal is a storage driver, native support for presenting secrets to a process through environment variables is not possible. The driver includes a method to sync the mounted content as Kubernetes secret. This is an optional feature, isn't enabled by default, and will not be considered a GA feature of the driver.
CVE-2020-8567 is an example of this risk. Since then, the interface between the driver and provider processes has been updated to:
- eliminate the
kubelet/podshostPathvolume mount from providers - consolidate all filesystem IO to the driver process
The driver protects against directory traversal vulnerabilities by re-using the atomic_writer used by Kubernetes Secrets and ConfigMaps which includes protections against writing to unintended paths.
Providers need a single remaining hostPath to share a unix domain socket file with the driver process, but this path has no other system critical or security sensitive access.
Authentication and authorization is largely up to the external API and its provider process, but the driver itself does include a few features that enable scoping access to secrets to individual pods.
Pod info is propagated to the external provider.
Additionally KEP 1855 allows the driver to propagate a token to the provider. This enabled the providers to impersonate the pod for fetching secrets without the need granting large RBAC scopes.
- Automated pre and post submit end-to-end integration tests
- Periodic end-to-end integration tests
- Supported providers each have their own integration test suites along with a reference provider
- Month+ soak of minor release
- Completion of milestone requirements
- Agreement of stability documented on community call from 3+ provider maintainers
- User facing API groups (
SecretProviderClassandSecretProviderClassPodStatusCRDs) promoted to v1
There are currently no planned deprecations. The following rules will be followed if a deprecation is needed.
- Announce deprecation and support policy of the existing flag
- Two versions passed since introducing the functionality that deprecates the flag (to address version skew)
- Address feedback on usage/changed behavior, provided on GitHub issues
- Deprecate the flag
This will be deployed to clusters as a standalone separate component.
- non-zero
total_node_publishmetrics indicate the CSI driver is used by the workloads. total_sync_k8s_secretmetrics indicate the optional Sync as Kubernetes secret feature is used by the workloads.total_rotation_reconcilemetrics indicate the optional rotation reconciliation feature is used by the workloads.
total_node_publish_error- any rising count of this metric indicates a problem with mounting the volume for pod.
total_node_unpublish_error- any rising count of this metric indicates a problem with unmounting the volume for pod.
What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?
- Metrics
- Metric name:
total_node_publish - Components exposing the metric:
secrets-store-csi-driver
- Metric name:
- Other
- Details: The CSI driver is configured with liveness and readiness probes. The liveness check is performed using the liveness-probe sidecar container. The liveness probe sidecar container exposes an HTTP
/healthzendpoint which serves as kubelet's livenessProbe hook to monitor health of the CSI driver. The liveness probe usesProbe()RPC call to check the CSI driver is healthy.
- Details: The CSI driver is configured with liveness and readiness probes. The liveness check is performed using the liveness-probe sidecar container. The liveness probe sidecar container exposes an HTTP
Are there any missing metrics that would be useful to have to improve observability of this feature?
- Kubernetes Container Storage Interface
- KEP 596: CSI Inline Volume Support GA
- KEP 1855: Service Account Token for CSI Driver
- Supports windows containers (Kubernetes version v1.18+)
The driver uses CSI Inline Volumes to mount the external secrets-store objects in the pod. The CSI Inline Volumes feature is enabled by default in Kubernetes 1.16+. For windows containers, the CSI Inline Volumes feature is enabled by default in Kubernetes 1.18+.
The minimum supported Kubernetes version is 1.16 for Linux and 1.18 for Windows.
- Kubelet
- If kubelet service is not running, the pods referencing the csi driver for volume will fail to start.
Load test results: https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html
Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?
Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?
https://secrets-store-csi-driver.sigs.k8s.io/troubleshooting.html
- Dec 2018 - First Commit
- Feb 2020 - Incorporated into sig-auth with pluggable provider model
- May 2020 - v0.0.10 (First release)
- July 2021 - v0.1.0 (First minor release)
- Environment Variables: There appears to be a strong desire to consume secrets using environment variables but the only way for this to work currently is through syncing secrets to Kubernetes Secrets.