Update CSI installation instructions in versioned docs (#741)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-02-23 00:10:06 -05:00 · 2022-12-09 08:48:33 +01:00 · 2022-12-09 08:48:33 +01:00 · 7e50f871bf
commit 7e50f871bf
parent d356a40bc3
3 changed files with 117 additions and 222 deletions
--- a/docs/versioned_docs/version-2.0/workflows/storage.md
+++ b/docs/versioned_docs/version-2.0/workflows/storage.md
@ -48,66 +48,22 @@ The following installation guide gives an overview of how to securely use CSI-ba
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
-1. Install the CSI driver:
+1. Install the driver:
  ```bash
  helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
      --namespace kube-system \
      --set linux.distro=fedora \
      --set controller.replicas=1
  ```
 2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
    A storage class only needs to be created once and can then be used by multiple volumes.
    The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
    ```bash
-    cat <<EOF | kubectl apply -f -
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-azuredisk-csi-driver
-    apiVersion: storage.k8s.io/v1
+    cd constellation-azuredisk-csi-driver
-    kind: StorageClass
+    helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: azuredisk.csi.confidential.cloud
    parameters:
      skuName: StandardSSD_LRS
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    ```
 </tabItem>
 <tabItem value="gcp" label="GCP">
-1. Install the CSI driver:
+1. Install the driver:
   ```bash
   kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
   ```
 2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
    A storage class only needs to be created once and can then be used by multiple volumes.
    The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
    ```bash
-    cat <<EOF | kubectl apply -f -
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver
-    apiVersion: storage.k8s.io/v1
+    helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
    kind: StorageClass
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: gcp.csi.confidential.cloud
    parameters:
      type: pd-standard
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    ```
 </tabItem>
@ -115,15 +71,21 @@ The following installation guide gives an overview of how to securely use CSI-ba
 :::info
-By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
+The default storage class installed by the driver is set to `encrypted-rwo` for performance reasons.
 If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
 Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
 Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
 Note that volume expansion isn't supported for integrity-protected disks.
 :::
-3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
+2. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
    A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
    It can refer to a storage class.
-    The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
+    The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
    ```bash
    cat <<EOF | kubectl apply -f -
@ -135,14 +97,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
    spec:
      accessModes:
      - ReadWriteOnce
-      storageClassName: encrypted-storage
+      storageClassName: encrypted-rwo
      resources:
        requests:
          storage: 20Gi
    EOF
    ```
-4. Create a Pod with persistent storage
+3. Create a Pod with persistent storage
    You can assign a persistent volume claim to an application in need of persistent storage.
    The mounted volume will persist restarts.
@ -170,8 +132,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
    EOF
    ```
-### Set the default storage class
+### Change the default storage class
-The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
+
 The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
 The previous instructions create a storage class with encryption enabled and sets this as the default class.
 In case you wish to change it, follow the steps below:
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
@ -185,9 +150,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                      PROVISIONER                       AGE
+      NAME                      PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage (default)    disk.csi.azure.com                1d
+      encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage         azuredisk.csi.confidential.cloud  1d
+      integrity-encrypted-rwo   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
      The default storage class is marked by `(default)`.
@ -197,13 +162,13 @@ The examples above are defined to be automatically set as the default storage cl
      If you previously used another storage class as the default, you will have to remove that annotation:
      ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
      ```
  3. Mark new class as the default
      ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      ```
  4. Verify that your chosen storage class is default:
@ -215,9 +180,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                        PROVISIONER                       AGE
+      NAME                                PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage                disk.csi.azure.com                1d
+      encrypted-rwo                       azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
+      integrity-encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
 </tabItem>
@ -232,9 +197,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                      PROVISIONER                 AGE
+      NAME                      PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage (default)    pd.csi.storage.gke.io       1d
+      encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage         gcp.csi.confidential.cloud  1d
+      integrity-encrypted-rwo   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
      The default storage class is marked by `(default)`.
@ -244,13 +209,13 @@ The examples above are defined to be automatically set as the default storage cl
      If you previously used another storage class as the default, you will have to remove that annotation:
      ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
      ```
  3. Mark new class as the default
      ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      ```
  4. Verify that your chosen storage class is default:
@ -262,9 +227,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                        PROVISIONER                 AGE
+      NAME                                PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage                pd.csi.storage.gke.io       1d
+      encrypted-rwo                       gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage (default) gcp.csi.confidential.cloud  1d
+      integrity-encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
 </tabItem>
--- a/docs/versioned_docs/version-2.1/workflows/storage.md
+++ b/docs/versioned_docs/version-2.1/workflows/storage.md
@ -48,66 +48,22 @@ The following installation guide gives an overview of how to securely use CSI-ba
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
-1. Install the CSI driver:
+1. Install the driver:
  ```bash
  helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
      --namespace kube-system \
      --set linux.distro=fedora \
      --set controller.replicas=1
  ```
 2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
    A storage class only needs to be created once and can then be used by multiple volumes.
    The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
    ```bash
-    cat <<EOF | kubectl apply -f -
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-azuredisk-csi-driver
-    apiVersion: storage.k8s.io/v1
+    cd constellation-azuredisk-csi-driver
-    kind: StorageClass
+    helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: azuredisk.csi.confidential.cloud
    parameters:
      skuName: StandardSSD_LRS
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    ```
 </tabItem>
 <tabItem value="gcp" label="GCP">
-1. Install the CSI driver:
+1. Install the driver:
   ```bash
   kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
   ```
 2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
    A storage class only needs to be created once and can then be used by multiple volumes.
    The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
    ```bash
-    cat <<EOF | kubectl apply -f -
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver
-    apiVersion: storage.k8s.io/v1
+    helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
    kind: StorageClass
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: gcp.csi.confidential.cloud
    parameters:
      type: pd-standard
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    ```
 </tabItem>
@ -115,15 +71,21 @@ The following installation guide gives an overview of how to securely use CSI-ba
 :::info
-By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
+The default storage class installed by the driver is set to `encrypted-rwo` for performance reasons.
 If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
 Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
 Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
 Note that volume expansion isn't supported for integrity-protected disks.
 :::
-3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
+2. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
    A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
    It can refer to a storage class.
-    The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
+    The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
    ```bash
    cat <<EOF | kubectl apply -f -
@ -135,14 +97,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
    spec:
      accessModes:
      - ReadWriteOnce
-      storageClassName: encrypted-storage
+      storageClassName: encrypted-rwo
      resources:
        requests:
          storage: 20Gi
    EOF
    ```
-4. Create a Pod with persistent storage
+3. Create a Pod with persistent storage
    You can assign a persistent volume claim to an application in need of persistent storage.
    The mounted volume will persist restarts.
@ -170,8 +132,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
    EOF
    ```
-### Set the default storage class
+### Change the default storage class
-The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
+
 The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
 The previous instructions create a storage class with encryption enabled and sets this as the default class.
 In case you wish to change it, follow the steps below:
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
@ -185,9 +150,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                      PROVISIONER                       AGE
+      NAME                      PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage (default)    disk.csi.azure.com                1d
+      encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage         azuredisk.csi.confidential.cloud  1d
+      integrity-encrypted-rwo   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
      The default storage class is marked by `(default)`.
@ -197,13 +162,13 @@ The examples above are defined to be automatically set as the default storage cl
      If you previously used another storage class as the default, you will have to remove that annotation:
      ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
      ```
  3. Mark new class as the default
      ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      ```
  4. Verify that your chosen storage class is default:
@ -215,9 +180,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                        PROVISIONER                       AGE
+      NAME                                PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage                disk.csi.azure.com                1d
+      encrypted-rwo                       azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
+      integrity-encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
 </tabItem>
@ -232,9 +197,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                      PROVISIONER                 AGE
+      NAME                      PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage (default)    pd.csi.storage.gke.io       1d
+      encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage         gcp.csi.confidential.cloud  1d
+      integrity-encrypted-rwo   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
      The default storage class is marked by `(default)`.
@ -244,13 +209,13 @@ The examples above are defined to be automatically set as the default storage cl
      If you previously used another storage class as the default, you will have to remove that annotation:
      ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
      ```
  3. Mark new class as the default
      ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      ```
  4. Verify that your chosen storage class is default:
@ -262,9 +227,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                        PROVISIONER                 AGE
+      NAME                                PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage                pd.csi.storage.gke.io       1d
+      encrypted-rwo                       gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage (default) gcp.csi.confidential.cloud  1d
+      integrity-encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
 </tabItem>
--- a/docs/versioned_docs/version-2.2/workflows/storage.md
+++ b/docs/versioned_docs/version-2.2/workflows/storage.md
@ -59,66 +59,22 @@ The following installation guide gives an overview of how to securely use CSI-ba
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
-1. Install the CSI driver:
+1. Install the driver:
  ```bash
  helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
      --namespace kube-system \
      --set linux.distro=fedora \
      --set controller.replicas=1
  ```
 2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
    A storage class only needs to be created once and can then be used by multiple volumes.
    The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
    ```bash
-    cat <<EOF | kubectl apply -f -
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-azuredisk-csi-driver
-    apiVersion: storage.k8s.io/v1
+    cd constellation-azuredisk-csi-driver
-    kind: StorageClass
+    helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: azuredisk.csi.confidential.cloud
    parameters:
      skuName: StandardSSD_LRS
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    ```
 </tabItem>
 <tabItem value="gcp" label="GCP">
-1. Install the CSI driver:
+1. Install the driver:
   ```bash
   kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
   ```
 2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
    A storage class only needs to be created once and can then be used by multiple volumes.
    The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
    ```bash
-    cat <<EOF | kubectl apply -f -
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver
-    apiVersion: storage.k8s.io/v1
+    helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
    kind: StorageClass
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: gcp.csi.confidential.cloud
    parameters:
      type: pd-standard
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    ```
 </tabItem>
@ -137,15 +93,21 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
 :::info
-By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
+The default storage class installed by the driver is set to `encrypted-rwo` for performance reasons.
 If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
 Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
 Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
 Note that volume expansion isn't supported for integrity-protected disks.
 :::
-3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
+2. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
    A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
    It can refer to a storage class.
-    The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
+    The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
    ```bash
    cat <<EOF | kubectl apply -f -
@ -157,14 +119,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
    spec:
      accessModes:
      - ReadWriteOnce
-      storageClassName: encrypted-storage
+      storageClassName: encrypted-rwo
      resources:
        requests:
          storage: 20Gi
    EOF
    ```
-4. Create a Pod with persistent storage
+3. Create a Pod with persistent storage
    You can assign a persistent volume claim to an application in need of persistent storage.
    The mounted volume will persist restarts.
@ -192,8 +154,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
    EOF
    ```
-### Set the default storage class
+### Change the default storage class
-The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
+
 The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
 The previous instructions create a storage class with encryption enabled and sets this as the default class.
 In case you wish to change it, follow the steps below:
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
@ -207,9 +172,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                      PROVISIONER                       AGE
+      NAME                      PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage (default)    disk.csi.azure.com                1d
+      encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage         azuredisk.csi.confidential.cloud  1d
+      integrity-encrypted-rwo   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
      The default storage class is marked by `(default)`.
@ -219,13 +184,13 @@ The examples above are defined to be automatically set as the default storage cl
      If you previously used another storage class as the default, you will have to remove that annotation:
      ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
      ```
  3. Mark new class as the default
      ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      ```
  4. Verify that your chosen storage class is default:
@ -237,9 +202,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                        PROVISIONER                       AGE
+      NAME                                PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage                disk.csi.azure.com                1d
+      encrypted-rwo                       azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
+      integrity-encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
 </tabItem>
@ -254,9 +219,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                      PROVISIONER                 AGE
+      NAME                      PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage (default)    pd.csi.storage.gke.io       1d
+      encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage         gcp.csi.confidential.cloud  1d
+      integrity-encrypted-rwo   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
      The default storage class is marked by `(default)`.
@ -266,13 +231,13 @@ The examples above are defined to be automatically set as the default storage cl
      If you previously used another storage class as the default, you will have to remove that annotation:
      ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
      ```
  3. Mark new class as the default
      ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      ```
  4. Verify that your chosen storage class is default:
@ -284,9 +249,9 @@ The examples above are defined to be automatically set as the default storage cl
      The output is similar to this:
      ```shell-session
-      NAME                        PROVISIONER                 AGE
+      NAME                                PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
-      some-storage                pd.csi.storage.gke.io       1d
+      encrypted-rwo                       gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
-      encrypted-storage (default) gcp.csi.confidential.cloud  1d
+      integrity-encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
      ```
 </tabItem>