Key cache semantics in Kubernetes KMS Plugin

Sergey Shcherbakov

10/31/23, 10:35 AM

When Kubernetes is configured with a KMS plugin, independently from the cachesize value I'm setting and the cache warm up I'm doing by reading out all existing Secrets in the cluster, the entire cluster admin access via kubectl depends entirely on the KMS availability and seizes in ~3 seconds (default value for timeout?) after I shutdown KMS plugin in my experiments.

Do you know what could have been done to reduce dependency and why the cache is not kicking in?

That seems to be part of the Kubernetes kube-apiserver implementation, not the KMS plugin itself.

Tried leaving the KMS plugin running but disabling the KMS keys with the same result: the kubectl access stops as soon as keys become unavailable and timeout is over.

Does that mean that the key (DEK) cache gets only hit while the timeout is not yet over?

0 + 0

kms

kubernetes

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Key cache semantics in Kubernetes KMS Plugin

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.