When you create a
PersistentVolumeClaim object, OKD provisions a new persistent volume (PV) and creates a
PersistentVolume object. You can add a custom encryption key in Google Cloud Platform (GCP) to protect a PV in your cluster by encrypting the newly created PV.
For encryption, the newly attached PV that you create uses customer-managed encryption keys (CMEK) on a cluster by using a new or existing Google Cloud Key Management Service (KMS) key.
To create a custom-encrypted PV, complete the following steps:
Create a storage class with the Cloud KMS key. The following example enables dynamic provisioning of encrypted volumes:
disk-encryption-kms-key: projects/<key-project-id>/locations/<location>/keyRings/<key-ring>/cryptoKeys/<key> (1)
You cannot add the
disk-encryption-kms-key parameter to an existing storage class. However, you can delete the storage class and recreate it with the same name and a different set of parameters. If you do this, the provisioner of the existing class must be
Deploy the storage class on your OKD cluster using the
$ oc describe storageclass csi-gce-pd-cmek
Create a file named
pvc.yaml that matches the name of your storage class object that you created in the previous step:
If you marked the new storage class as default, you can omit the
Apply the PVC on your cluster:
Get the status of your PVC and verify that it is created and bound to a newly provisioned PV:
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
podpvc Bound pvc-e36abf50-84f3-11e8-8538-42010a800002 10Gi RWO csi-gce-pd-cmek 9s
If your storage class has the
volumeBindingMode field set to
WaitForFirstConsumer, you must create a pod to use the PVC before you can verify it.
Your CMEK-protected PV is now ready to use with your OKD cluster.