When you create a PersistentVolumeClaim
object, OKD provisions a new persistent volume (PV) and creates a PersistentVolume
object. You can add a custom encryption key in Google Cloud Platform (GCP) to protect a PV in your cluster by encrypting the newly created PV.
For encryption, the newly attached PV that you create uses customer-managed encryption keys (CMEK) on a cluster by using a new or existing Google Cloud Key Management Service (KMS) key.
Procedure
To create a custom-encrypted PV, complete the following steps:
-
Create a storage class with the Cloud KMS key. The following example enables dynamic provisioning of encrypted volumes:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-gce-pd-cmek
provisioner: pd.csi.storage.gke.io
volumeBindingMode: "WaitForFirstConsumer"
allowVolumeExpansion: true
parameters:
type: pd-standard
disk-encryption-kms-key: projects/<key-project-id>/locations/<location>/keyRings/<key-ring>/cryptoKeys/<key> (1)
|
You cannot add the disk-encryption-kms-key parameter to an existing storage class. However, you can delete the storage class and recreate it with the same name and a different set of parameters. If you do this, the provisioner of the existing class must be pd.csi.storage.gke.io .
|
-
Deploy the storage class on your OKD cluster using the oc
command:
$ oc describe storageclass csi-gce-pd-cmek
Example output
Name: csi-gce-pd-cmek
IsDefaultClass: No
Annotations: None
Provisioner: pd.csi.storage.gke.io
Parameters: disk-encryption-kms-key=projects/key-project-id/locations/location/keyRings/ring-name/cryptoKeys/key-name,type=pd-standard
AllowVolumeExpansion: true
MountOptions: none
ReclaimPolicy: Delete
VolumeBindingMode: WaitForFirstConsumer
Events: none
-
Create a file named pvc.yaml
that matches the name of your storage class object that you created in the previous step:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: podpvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: csi-gce-pd-cmek
resources:
requests:
storage: 6Gi
|
If you marked the new storage class as default, you can omit the storageClassName field.
|
-
Apply the PVC on your cluster:
-
Get the status of your PVC and verify that it is created and bound to a newly provisioned PV:
Example output
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
podpvc Bound pvc-e36abf50-84f3-11e8-8538-42010a800002 10Gi RWO csi-gce-pd-cmek 9s
|
If your storage class has the volumeBindingMode field set to WaitForFirstConsumer , you must create a pod to use the PVC before you can verify it.
|
Your CMEK-protected PV is now ready to use with your OKD cluster.