From a587558df9e7772b0b89592b6cac0ca8c6f2dce2 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Fri, 30 Jun 2023 09:06:52 +0200
Subject: [PATCH] docs: document aws encrypted storage (#1974)
* document AWS encrypted storage
* dont use block express disks
* Update docs/docs/workflows/storage.md
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update docs/docs/workflows/storage.md
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update docs/docs/workflows/storage.md
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update docs/docs/workflows/storage.md
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
---------
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
---
docs/docs/workflows/storage.md | 172 ++++++++++++---------------------
1 file changed, 61 insertions(+), 111 deletions(-)
diff --git a/docs/docs/workflows/storage.md b/docs/docs/workflows/storage.md
index d0e5b188f..9e3d96346 100644
--- a/docs/docs/workflows/storage.md
+++ b/docs/docs/workflows/storage.md
@@ -9,11 +9,11 @@ Cloud service providers (CSPs) offer their own CSI-based solutions for cloud sto
## Confidential storage
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
-Constellation supports the available CSI-based storage options for Kubernetes engines in Azure and GCP.
+Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, and GCP.
However, their encryption takes place in the storage backend and is managed by the CSP.
Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.
-To address this, Constellation provides CSI drivers for Azure Disk and GCE PD, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
+To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, and GCE PD, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
For more details see [encrypted persistent storage](../architecture/encrypted-storage.md).
@@ -25,32 +25,28 @@ Constellation supports the following drivers, which offer node-level encryption
**Constellation CSI driver for Azure Disk**:
-Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. Since Azure Disks are mounted as ReadWriteOnce, they're only available to a single pod.
+Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster.
+See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information.
+Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod.
**Constellation CSI driver for GCP Persistent Disk**:
Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster.
-This includes support for [volume snapshots](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/volume-snapshots), which let you create copies of your volume at a specific point in time.
-You can use them to bring a volume back to a prior state or provision new volumes.
-Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for information about the configuration.
+Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information.
-:::caution
-
-Confidential storage isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
-
-You may use other (non-confidential) CSI drivers that are compatible with Kubernetes on AWS.
-
-:::
+**Constellation CSI driver for AWS Elastic Block Store**
+Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
+Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
-Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction) or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet.
+Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet.
## Installation
@@ -118,11 +114,29 @@ Note that volume expansion isn't supported for integrity-protected disks.
-:::caution
+AWS comes with two storage classes by default.
-Confidential storage isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
+* `encrypted-rwo`
+ * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html)
+ * ext-4 filesystem
+ * Encryption of all data written to disk
+* `integrity-encrypted-rwo`
+ * Uses [SSDs of `gp3` type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html)
+ * ext-4 filesystem
+ * Encryption of all data written to disk
+ * Integrity protection of data written to disk
-You may use other (non-confidential) CSI drivers that are compatible with Kubernetes on AWS.
+For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
+
+:::info
+
+The default storage class is set to `encrypted-rwo` for performance reasons.
+If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
+
+Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
+Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
+
+Note that volume expansion isn't supported for integrity-protected disks.
:::
@@ -186,110 +200,46 @@ The default storage class is responsible for all persistent volume claims that d
Constellation creates a storage class with encryption enabled and sets this as the default class.
In case you wish to change it, follow the steps below:
-
-
+1. List the storage classes in your cluster:
- 1. List the storage classes in your cluster:
+ ```bash
+ kubectl get storageclass
+ ```
- ```bash
- kubectl get storageclass
- ```
+ The output is similar to this:
- The output is similar to this:
+ ```shell-session
+ NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
+ encrypted-rwo (default) {your-csp}.csi.confidential.cloud Delete Immediate true 1d
+ integrity-encrypted-rwo {your-csp}.csi.confidential.cloud Delete Immediate false 1d
+ ```
- ```shell-session
- NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
- encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate true 1d
- integrity-encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate false 1d
- ```
+ The default storage class is marked by `(default)`.
- The default storage class is marked by `(default)`.
+2. Mark old default storage class as non default
- 2. Mark old default storage class as non default
+ If you previously used another storage class as the default, you will have to remove that annotation:
- If you previously used another storage class as the default, you will have to remove that annotation:
+ ```bash
+ kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+ ```
- ```bash
- kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
- ```
+3. Mark new class as the default
- 3. Mark new class as the default
+ ```bash
+ kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+ ```
- ```bash
- kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
- ```
+4. Verify that your chosen storage class is default:
- 4. Verify that your chosen storage class is default:
+ ```bash
+ kubectl get storageclass
+ ```
- ```bash
- kubectl get storageclass
- ```
+ The output is similar to this:
- The output is similar to this:
-
- ```shell-session
- NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
- encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate true 1d
- integrity-encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate false 1d
- ```
-
-
-
-
- 1. List the storage classes in your cluster:
-
- ```bash
- kubectl get storageclass
- ```
-
- The output is similar to this:
-
- ```shell-session
- NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
- encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate true 1d
- integrity-encrypted-rwo gcp.csi.confidential.cloud Delete Immediate false 1d
- ```
-
- The default storage class is marked by `(default)`.
-
- 2. Mark old default storage class as non default
-
- If you previously used another storage class as the default, you will have to remove that annotation:
-
- ```bash
- kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
- ```
-
- 3. Mark new class as the default
-
- ```bash
- kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
- ```
-
- 4. Verify that your chosen storage class is default:
-
- ```bash
- kubectl get storageclass
- ```
-
- The output is similar to this:
-
- ```shell-session
- NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
- encrypted-rwo gcp.csi.confidential.cloud Delete Immediate true 1d
- integrity-encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate false 1d
- ```
-
-
-
-
-:::caution
-
-Confidential storage isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
-
-You may use other (non-confidential) CSI drivers that are compatible with Kubernetes on AWS.
-
-:::
-
-
-
+ ```shell-session
+ NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
+ encrypted-rwo {your-csp}.csi.confidential.cloud Delete Immediate true 1d
+ integrity-encrypted-rwo (default) {your-csp}.csi.confidential.cloud Delete Immediate false 1d
+ ```