AB#2615 Update docs to new CSI installation method (#606)

* Update docs to new CSI installation method

* Fix invalid volume expansion option

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
This commit is contained in:
Daniel Weiße 2022-11-22 09:36:08 +01:00 committed by GitHub
parent 0232c835ca
commit b915d03487
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 70 additions and 81 deletions

View File

@ -8,7 +8,7 @@ parameters:
skuname: Premium_LRS
csi.storage.k8s.io/fstype: ext4-integrity
provisioner: azuredisk.csi.confidential.cloud
allowVolumeExpansion: true
allowVolumeExpansion: false
reclaimPolicy: Delete
volumeBindingMode: Immediate
{{- end }}

View File

@ -7,6 +7,6 @@ parameters:
skuname: Premium_LRS
csi.storage.k8s.io/fstype: ext4-integrity
provisioner: azuredisk.csi.confidential.cloud
allowVolumeExpansion: true
allowVolumeExpansion: false
reclaimPolicy: Delete
volumeBindingMode: Immediate

View File

@ -6,7 +6,7 @@ allowing users to mount storage solutions directly into containers.
The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes.
Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage.
### Confidential storage
## Confidential storage
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
Constellation supports the available CSI-based storage options for Kubernetes engines in Azure and GCP.
@ -54,72 +54,64 @@ Note that in case the options above aren't a suitable solution for you, Constell
## Installation
The following installation guide gives an overview of how to securely use CSI-based cloud storage for persistent volumes in Constellation.
The Constellation CLI will automatically install Constellation's CSI driver for the selected CSP in your cluster.
If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file.
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
1. Install the CSI driver:
Azure comes with two storage classes by default.
```bash
helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
--namespace kube-system \
--set linux.distro=fedora \
--set controller.replicas=1
```
* `encrypted-rwo`
* Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds)
* ext-4 filesystem
* Encryption of all data written to disk
* `integrity-encrypted-rwo`
* Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds)
* ext-4 filesystem
* Encryption of all data written to disk
* Integrity protection of data written to disk
2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
For more info on encryption algorithms and key sizes, please refer to [cryptographic-algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
A storage class configures the driver responsible for provisioning storage for persistent volume claims.
A storage class only needs to be created once and can then be used by multiple volumes.
The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
:::info
```bash
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: encrypted-storage
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: azuredisk.csi.confidential.cloud
parameters:
skuName: StandardSSD_LRS
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
EOF
```
The default storage class is set to `encrypted-rwo` for performance reasons.
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
Or use another filesystem by specifying another file system type with the suffix `-integrity`.
For example `csi.storage.k8s.io/fstype: xfs-integrity`.
Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
<tabItem value="gcp" label="GCP">
1. Install the CSI driver:
GCP comes with two storage classes by default.
```bash
kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
```
* `encrypted-rwo`
* Uses [standard persistent-disks](https://cloud.google.com/compute/docs/disks#pdspecs)
* ext-4 filesystem
* Encryption of all data written to disk
* `integrity-encrypted-rwo`
* Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs)
* ext-4 filesystem
* Encryption of all data written to disk
* Integrity protection of data written to disk
2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
For more info on encryption algorithms and key sizes, please refer to [cryptographic-algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
A storage class configures the driver responsible for provisioning storage for persistent volume claims.
A storage class only needs to be created once and can then be used by multiple volumes.
The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
:::info
```bash
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: encrypted-storage
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: gcp.csi.confidential.cloud
parameters:
type: pd-standard
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
EOF
```
The default storage class is set to `encrypted-rwo` for performance reasons.
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
Or use another filesystem by specifying another file system type with the suffix `-integrity`.
For example `csi.storage.k8s.io/fstype: xfs-integrity`.
Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
<tabItem value="aws" label="AWS">
@ -135,17 +127,11 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
</tabItem>
</tabs>
:::info
By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
:::
3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
It can refer to a storage class.
The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
```bash
cat <<EOF | kubectl apply -f -
@ -157,14 +143,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
spec:
accessModes:
- ReadWriteOnce
storageClassName: encrypted-storage
storageClassName: encrypted-rwo
resources:
requests:
storage: 20Gi
EOF
```
4. Create a Pod with persistent storage
2. Create a Pod with persistent storage
You can assign a persistent volume claim to an application in need of persistent storage.
The mounted volume will persist restarts.
@ -192,8 +178,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
EOF
```
### Set the default storage class
The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
### Change the default storage class
The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
Constellation creates a storage class with encryption enabled and sets this as the default class.
In case you wish to change it, follow the steps below:
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
@ -207,9 +196,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this:
```shell-session
NAME PROVISIONER AGE
some-storage (default) disk.csi.azure.com 1d
encrypted-storage azuredisk.csi.confidential.cloud 1d
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate true 1d
integrity-encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate false 1d
```
The default storage class is marked by `(default)`.
@ -219,13 +208,13 @@ The examples above are defined to be automatically set as the default storage cl
If you previously used another storage class as the default, you will have to remove that annotation:
```bash
kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
```
3. Mark new class as the default
```bash
kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
```
4. Verify that your chosen storage class is default:
@ -237,9 +226,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this:
```shell-session
NAME PROVISIONER AGE
some-storage disk.csi.azure.com 1d
encrypted-storage (default) azuredisk.csi.confidential.cloud 1d
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate true 1d
integrity-encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate false 1d
```
</tabItem>
@ -254,9 +243,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this:
```shell-session
NAME PROVISIONER AGE
some-storage (default) pd.csi.storage.gke.io 1d
encrypted-storage gcp.csi.confidential.cloud 1d
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate true 1d
integrity-encrypted-rwo gcp.csi.confidential.cloud Delete Immediate false 1d
```
The default storage class is marked by `(default)`.
@ -266,13 +255,13 @@ The examples above are defined to be automatically set as the default storage cl
If you previously used another storage class as the default, you will have to remove that annotation:
```bash
kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
```
3. Mark new class as the default
```bash
kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
```
4. Verify that your chosen storage class is default:
@ -284,9 +273,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this:
```shell-session
NAME PROVISIONER AGE
some-storage pd.csi.storage.gke.io 1d
encrypted-storage (default) gcp.csi.confidential.cloud 1d
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
encrypted-rwo gcp.csi.confidential.cloud Delete Immediate true 1d
integrity-encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate false 1d
```
</tabItem>