Extension request: KMS v2

[Mo Khan]

• Enhancement name: KMS v2
• Enhancement status (alpha/beta/stable): beta
• SIG: auth
• k/enhancements repo issue #: https://kep.k8s.io/3299
• PR #’s: https://github.com/kubernetes/kubernetes/pull/118828 (this PR encompasses the entire change and all of its tests – we just need extra time for the review to be completed and requested changes to be made)
• Additional time needed (in days): 5
• Reason this enhancement is critical for this milestone: It fixes the cryptographic limitations of the existing KMS v2 functionality which is already beta, see https://hackmd.io/@enj/SyiXCABZn for a description of the change and https://words.filippo.io/dispatches/xaes-256-gcm-11 for a primer on the problem space.  See the “Caution” section in the https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-v2 docs for how this limitation partially surfaces to users.
• Risks from adding code late: small, the change is scoped behind a new beta KMSv2KDF feature gate that is disabled by default (in addition to the beta KMSv2 feature gate which is enabled by default).  Unit and integration tests cover the enablement / disablement of the new feature gate as well as the upgrade/downgrade scenarios.
• Risks from cutting enhancement: This change is a hard requirement for KMS v2 to GA (as we cannot GA it with the existing cryptographic limitations) and requires at least two releases to roll out because it changes how encrypted data is stored on disk (the extra release is required so that users can downgrade from v1.28 to v1.27 while using KMS v2 which is already beta).

[Grace Nguyen]

Hi all, 

Following Slack discussion, his exception request has been APPROVED to be due on Monday, July 24th at 17:00 PDT. 

Please reach out in #sig-release if you have any questions.

Best,

Grace Nguyen

1.28 Release Lead