Creating Encrypted Volumes
NVMesh CSI Driver uses dmcrypt to create encrypted volumes.
The YAMLs for the following example are available at: dmcrypt examples on GitHub
Create a secret that will hold the key
The key field name must be dmcryptKey
apiVersion: v1
kind: Secret
metadata:
name: dmcrypt-example-key
data:
# echo "my-dm-crypt-key" | base64
dmcryptKey: bXktZG0tY3J5cHQta2V5Cg==
Create a StorageClass
Parameters explanation:
encryption: dmcrypt
– required, Use encryption
csi.storage.k8s.io/node-stage-secret-name: dmcrypt-example-key
– required, The k8s Secret object name
csi.storage.k8s.io/node-stage-secret-namespace: nvmesh-csi
– required, The k8s Secret object namespace
dmcrypt/type: "luks2"
– optional, change the LUKS header type
dmcrypt/cipher: "aes-xts-plain64"
– optional, change the cipher
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: encrypted-nvmesh-xfs
provisioner: nvmesh-csi.excelero.com
allowVolumeExpansion: true
volumeBindingMode: Immediate
parameters:
vpg: DEFAULT_CONCATENATED_VPG
csi.storage.k8s.io/fstype: xfs
encryption: dmcrypt
csi.storage.k8s.io/node-stage-secret-name: dmcrypt-example-key
csi.storage.k8s.io/node-stage-secret-namespace: nvmesh-csi
# optional parameters:
dmcrypt/type: "luks2"
dmcrypt/cipher: "aes-xts-plain64"
Create a PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-encrypted-xfs
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 10Gi
storageClassName: encrypted-nvmesh-xfs
Create a Pod
apiVersion: v1
kind: Pod
metadata:
name: pod-using-encrypted-volume
spec:
containers:
- name: cento7
image: centos:7
command:
- /bin/bash
- '-c'
- '--'
args:
- "while true; do sleep 1 & wait $!; done;"
volumeMounts:
- name: vol1
mountPath: /mnt/vol1
volumes:
- name: vol1
persistentVolumeClaim:
claimName: pvc-encrypted-xfs
Post your comment on this topic.