If you'd like to find a place to help, I'd suggest focusing your efforts on connecting Kubernetes to Hashicorp Vault, which is truly secure, and deprecating the old unencrypted etcd-backed implementation.
I've already began exploring how an integration between Vault and Kubernetes would work [2]. There are some things to work out, but those discussions are under way [3]. The current prototype/example demonstrates one way of leveraging Vault from applications deployed on Kubernetes, without changes to the Kubernetes core.
While the vault-controller [2] works, we can do better. One idea is to consider what a deeper Vault integration looks like. Ideally we can modify parts of Kubernetes, mainly the kubelet agent that runs on every node, to handled the secure generation and renewal of unique Vault tokens for each Pod during the Pod creation phase.
Another idea would be to rethink "secrets" altogether and rebuild the entire feature on top of the Vault API. We can "hide" Vault under the current "secrets" API, which would let us remain backwards compatible. That would be phase one. Phase two could introduce new Secret extensions, which would enable users to declaratively manage Vault tokens, backends, and secret renewals through the Kubernetes API.
[1] https://www.vaultproject.io
[2] https://github.com/kelseyhightower/vault-controller
[3] https://github.com/kubernetes/kubernetes/issues/10439#issuec...
Also, the engineering teams need to do a better job of integrating community PRs that address implementor demands. For example, Consul K/V support has been asked for since 2014 [1], yet nobody seems to be in a hurry to integrate the (generously-provided) functionality [2].
Finally, I'd like to see deadlines and decision-makers appointed for making decisions such as the one you discuss, so we can avoid endless debates and make forward progress quickly.
Those new pods could reference existing secrets, be in any namespace (e.g. kube-system), and are exactly the same as root on all k8s nodes.
Because of that, having access to etcd is equivalent to having admin cluster access. The secrets are no more secret if they're encrypted in etcd or not since anyone with access to etcd can launch pods that will decrypt arbitrary secrets.
This is true iwth vault as well. Once secrets are in vault, access to etcd will still result in all secrets being available to the attacker. The threat model is no better.
There are plans to encrypt them in etcd for the sake of them not appearing in backups and because people like you constantly bitch about it, but it doesn't mater and saying they shouldn't be called secrets because of this is FUD.
At any rate, you bring up two points: First, that etcd is insecure, which is a problem in itself that needs to be addressed. Communications between K8S and etcd and between applications and etcd need to be secured, and K8S itself needs role-based ACLs in the core.
Second, for the Vault use case, the best practice is not to place Vault tokens in etcd that grant direct access to any secrets. Instead, the best practice (as Kelsey's vault-controller project does) is to pass a "wrapper token," which is a single-use token. The application consumes the wrapper token (hopefully quickly) and exchanges it for a longer-lived token, which can then be used to access the secret data.
Once the wrapper token has been used, it is subsequently worthless to someone who has direct etcd access. And Vault's auditing capabilities can help you detect misuses of wrapper tokens.
Also, it's just a start; the existing "secrets" implementation needs to be completely scrapped in the name of security.
My tldr; konfd writes out k8s configmaps based on other k8s resources like secrets, configmaps, etc. Really useful for writing out complete config files into a pod namespace without relying on external config backends.
Question: While looping on a syncInterval is certainly clean and understandable, it feels suboptimal when all the templates sources are themselves watchable with a k8s client. Benefits of switching to a watch model:
1. Speed: It'd be nice to have the template rendering fire immediately after a source secret changed versus waiting for syncInterval.
2. Resource Utilization: Switching from syncInterval to a watch should save significant cycles by avoiding reprocessing templates when config hasn't changed.
1. The template configmap will not change as often as the secrets and configmap key/value pairs they reference. This means you'll always need a sync loop to regenerate the template and compare it with the current generated version. This is how most configuration management systems work. Maybe we can watch the data and uses changes as triggers?
2. Watch is a bit racy when a template references multiple secrets and configmaps. It's really hard to prevent a partial config. One idea is to scale the konfd replicaset to 0 before making changing a bunch of secrets and configmaps, then scaling konfd back to 1 to trigger the processing of the templates to pick up the new values. The other option is to wait the "sync-interval", but you'll run the risk of partial configs or needing multiple runs to generate the complete config.
One possible solution to prevent 1 and 2 is to only reference one external configmap or secret for each template resource. I'm still testing these patterns in real life and will update the docs on which patterns work best for each situation. With that said, I think I'll still add a watch mode so others can test and provide feedback.
And secondly, I would love to see this kind of concept upgraded to a first-class citizen in kubernetes. Essentially, I think an equivalent of `/etc/environment` for your cluster would be a powerful way of generalizing app components. It would be great if just placing resources in your cluster allows them to pick up at least some of their required configuration, much like customizing `/etc/environment` does for *nix machines.
If you find the time can you elaborate on why you elected to use ConfigMaps for the templates too instead of building a 3rd party ressource ? This way you wouldn't have to use annotations and the definition might be a little more terse (or not)
Is there something about configmaps that make implementation easier ? or provides additional behavior wrt to pod lifecycle or something like that ?
Also, there are a few issues [1] with ThirdPartyResource objects including the lack of validation and inconsistencies when interacting with ThirdPartyResource objects through the Kubernetes API [2]. That's not to say ThirdPartyResource's should not be used, but it's not a decision take lightly.
Now, if konfd were to grow or add more features, then I think a ThirdPartyResource would be the way to go -- mainly because ConfigMaps require the use of "reserved" keys and annotations to configure behavior.
