Explore the architecture and implementation of Storage Transformers in Kubernetes through this demo-heavy conference talk. Learn how to extend Kubernetes by leveraging storage transformers, which are invoked by the kube-apiserver before resources are written to or read from etcd. Discover appropriate scenarios for using storage transformers as an extensibility point, including encrypting secrets at rest. Follow along as the speaker demonstrates the step-by-step process of implementing a transformer interface, creating YAML config structures, and configuring KMS encryption. Gain insights into re-using envelope transformers, adding configurable DEK types to KMS plugins, and choosing the right KMS provider for your needs.
Extending Kubernetes with Storage Transformers
Overview
Syllabus
Intro
Extensibility at the RPC layer
Motivating Problem - Encrypting Secrets at Rest
Implement Transformer Interface
Step #2: Create your YAML config structure
Add your type to ProviderConfiguration
Prefix Transformer
Define your prefix
Add Init logic for your transformer
Re-using Envelope Transformer
KMS encryption configuration
add configurable DEK type to KMS plugin
teach KMS plugin about your new DEK type
choose your KMS provider and plugin
Summary
Taught by
Linux Foundation
