blog post in post quantum crypto in k8s

[datosh]

Hey 👋
I recently spend some time researching the current state of post quantum cryptography in the cloud native industry.
For some topics I found little to no information especially in the Kubernetes ecosystem, so I thought I share my findings with the community!

Discussion on Slack:

• https://kubernetes.slack.com/archives/C01D8R7ACQ2/p1747748686302619
• https://kubernetes.slack.com/archives/C019LFTGNQ3/p1747767111486819

Happy for any comments or suggestions on the post.

/cc @lmktfy

[k8s-ci-robot]

Welcome @datosh!

It looks like this is your first PR to kubernetes/contributor-site 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/contributor-site has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[jberkus]

Composition/writing check. No real grammar/punctuation editing needed. However, one suggestion on article flow, and one link needs to be replaced.

The rest of the links all look OK.

Note that I have no expertise in the cryptography details covered by the article.

[datosh]

Thank you, for taking the time to review this @jberkus
I have resolved / replied to all comments.

[lmktfy]

@kubernetes/sig-security-pr-reviews is this article OK to publish (in terms of cryptography / infosec message)?

[lmktfy]

We should be able to get eyes on this next week.

[smarticu5]

/LGTM. I don't have super in-depth crypto knowledge, but like the post and learned from the content. Nice work @datosh

[jberkus]

@EthanHeilman is the general info in this post up-to-date in terms of the cryptography?

[datosh]

Pushed 53a7858

Based on some feedback from @EthanHeilman: "While true for some PQ algorithms, ML-DSA, FN-DSA have roughly comparable signing performance as EC-DSA and even outperforms EC-DSA at NIST level I. See https://pqshield.github.io/nist-sigs-zoo/ They are about 2-5x slower in signing."

[EthanHeilman]

@jberkus After the most recent commit it looks good to me

[lmktfy]

OK, this is ready for more reviews (I won't, as @datosh is a colleague)

[bwesterb]

Nice blog.

[bwesterb]

X25519Kyber768Draft00 was to kick the tires: I don't think we can expect Go to carry around a preliminary version. Given the short release cycles of Go, soon enough every Go version will support X25519MLKEM768.

There is a more serious pitfall: if you compile with Go 1.24, but use go 1.20 in go.mod you still won't get X25519MLKEM768.

[datosh]

I don't think we can expect Go to carry around a preliminary version.

Do you think I should reword this section, @bwesterb? I did not intend to put blame on the Go team. I think the approach chosen worked very well!

This section was intended to highlight that the details of the chosen parameters and Go versions are important to get right, if you are an early adopter.

[lmktfy]

@kubernetes/sig-contributor-experience-pr-reviews, PTAL

[graz-dev]

This is a high-quality piece of writing.
I'm not an expert of the field but it looks great and very informative!

[datosh]

@mfahlandt @palnabarun could you take a look at this so we can merge this as a draft and schedule for release?
This was already merged to main blog (see activity above).

This was already reviewed from a technical perspective from several people. Also @lmktfy gave his informal 👍, but since we work at the same company we would like to get an 'independent' approval on this.

[jberkus]

Since this is marked as draft, we can merge until we're ready to publish.

/lgtm

[avni-mahajan]

Hi @datosh :)
This is a great blog, really well structured!
I just had a small suggestion. The audience might already be familiar with TLS, but it could be helpful to spell it out the first time it's mentioned, just for clarity and consistency :)

[lmktfy]

Given #582 (comment)

/approve

[lmktfy]

How about this?

[lmktfy]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: datosh, lmktfy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lmktfy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment