mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
AB#2615 Update docs to new CSI installation method (#606)
* Update docs to new CSI installation method * Fix invalid volume expansion option Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
This commit is contained in:
parent
0232c835ca
commit
b915d03487
@ -8,7 +8,7 @@ parameters:
|
||||
skuname: Premium_LRS
|
||||
csi.storage.k8s.io/fstype: ext4-integrity
|
||||
provisioner: azuredisk.csi.confidential.cloud
|
||||
allowVolumeExpansion: true
|
||||
allowVolumeExpansion: false
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: Immediate
|
||||
{{- end }}
|
||||
|
@ -7,6 +7,6 @@ parameters:
|
||||
skuname: Premium_LRS
|
||||
csi.storage.k8s.io/fstype: ext4-integrity
|
||||
provisioner: azuredisk.csi.confidential.cloud
|
||||
allowVolumeExpansion: true
|
||||
allowVolumeExpansion: false
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: Immediate
|
||||
|
@ -6,7 +6,7 @@ allowing users to mount storage solutions directly into containers.
|
||||
The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes.
|
||||
Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage.
|
||||
|
||||
### Confidential storage
|
||||
## Confidential storage
|
||||
|
||||
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
|
||||
Constellation supports the available CSI-based storage options for Kubernetes engines in Azure and GCP.
|
||||
@ -54,72 +54,64 @@ Note that in case the options above aren't a suitable solution for you, Constell
|
||||
|
||||
## Installation
|
||||
|
||||
The following installation guide gives an overview of how to securely use CSI-based cloud storage for persistent volumes in Constellation.
|
||||
The Constellation CLI will automatically install Constellation's CSI driver for the selected CSP in your cluster.
|
||||
If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
1. Install the CSI driver:
|
||||
Azure comes with two storage classes by default.
|
||||
|
||||
```bash
|
||||
helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
|
||||
--namespace kube-system \
|
||||
--set linux.distro=fedora \
|
||||
--set controller.replicas=1
|
||||
```
|
||||
* `encrypted-rwo`
|
||||
* Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds)
|
||||
* ext-4 filesystem
|
||||
* Encryption of all data written to disk
|
||||
* `integrity-encrypted-rwo`
|
||||
* Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds)
|
||||
* ext-4 filesystem
|
||||
* Encryption of all data written to disk
|
||||
* Integrity protection of data written to disk
|
||||
|
||||
2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
|
||||
For more info on encryption algorithms and key sizes, please refer to [cryptographic-algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
|
||||
|
||||
A storage class configures the driver responsible for provisioning storage for persistent volume claims.
|
||||
A storage class only needs to be created once and can then be used by multiple volumes.
|
||||
The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
|
||||
:::info
|
||||
|
||||
```bash
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
name: encrypted-storage
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
provisioner: azuredisk.csi.confidential.cloud
|
||||
parameters:
|
||||
skuName: StandardSSD_LRS
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: WaitForFirstConsumer
|
||||
EOF
|
||||
```
|
||||
The default storage class is set to `encrypted-rwo` for performance reasons.
|
||||
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`
|
||||
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
|
||||
Or use another filesystem by specifying another file system type with the suffix `-integrity`.
|
||||
For example `csi.storage.k8s.io/fstype: xfs-integrity`.
|
||||
Note that volume expansion isn't supported for integrity-protected disks.
|
||||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
1. Install the CSI driver:
|
||||
GCP comes with two storage classes by default.
|
||||
|
||||
```bash
|
||||
kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
|
||||
```
|
||||
* `encrypted-rwo`
|
||||
* Uses [standard persistent-disks](https://cloud.google.com/compute/docs/disks#pdspecs)
|
||||
* ext-4 filesystem
|
||||
* Encryption of all data written to disk
|
||||
* `integrity-encrypted-rwo`
|
||||
* Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs)
|
||||
* ext-4 filesystem
|
||||
* Encryption of all data written to disk
|
||||
* Integrity protection of data written to disk
|
||||
|
||||
2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
|
||||
For more info on encryption algorithms and key sizes, please refer to [cryptographic-algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
|
||||
|
||||
A storage class configures the driver responsible for provisioning storage for persistent volume claims.
|
||||
A storage class only needs to be created once and can then be used by multiple volumes.
|
||||
The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
|
||||
:::info
|
||||
|
||||
```bash
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
name: encrypted-storage
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
provisioner: gcp.csi.confidential.cloud
|
||||
parameters:
|
||||
type: pd-standard
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: WaitForFirstConsumer
|
||||
EOF
|
||||
```
|
||||
The default storage class is set to `encrypted-rwo` for performance reasons.
|
||||
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`
|
||||
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
|
||||
Or use another filesystem by specifying another file system type with the suffix `-integrity`.
|
||||
For example `csi.storage.k8s.io/fstype: xfs-integrity`.
|
||||
Note that volume expansion isn't supported for integrity-protected disks.
|
||||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
@ -135,17 +127,11 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
:::info
|
||||
|
||||
By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
|
||||
|
||||
:::
|
||||
|
||||
3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
|
||||
1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
|
||||
|
||||
A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
|
||||
It can refer to a storage class.
|
||||
The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
|
||||
The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
|
||||
|
||||
```bash
|
||||
cat <<EOF | kubectl apply -f -
|
||||
@ -157,14 +143,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: encrypted-storage
|
||||
storageClassName: encrypted-rwo
|
||||
resources:
|
||||
requests:
|
||||
storage: 20Gi
|
||||
EOF
|
||||
```
|
||||
|
||||
4. Create a Pod with persistent storage
|
||||
2. Create a Pod with persistent storage
|
||||
|
||||
You can assign a persistent volume claim to an application in need of persistent storage.
|
||||
The mounted volume will persist restarts.
|
||||
@ -192,8 +178,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
|
||||
EOF
|
||||
```
|
||||
|
||||
### Set the default storage class
|
||||
The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
|
||||
### Change the default storage class
|
||||
|
||||
The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
|
||||
Constellation creates a storage class with encryption enabled and sets this as the default class.
|
||||
In case you wish to change it, follow the steps below:
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
@ -207,9 +196,9 @@ The examples above are defined to be automatically set as the default storage cl
|
||||
The output is similar to this:
|
||||
|
||||
```shell-session
|
||||
NAME PROVISIONER AGE
|
||||
some-storage (default) disk.csi.azure.com 1d
|
||||
encrypted-storage azuredisk.csi.confidential.cloud 1d
|
||||
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
|
||||
encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate true 1d
|
||||
integrity-encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate false 1d
|
||||
```
|
||||
|
||||
The default storage class is marked by `(default)`.
|
||||
@ -219,13 +208,13 @@ The examples above are defined to be automatically set as the default storage cl
|
||||
If you previously used another storage class as the default, you will have to remove that annotation:
|
||||
|
||||
```bash
|
||||
kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
|
||||
kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
|
||||
```
|
||||
|
||||
3. Mark new class as the default
|
||||
|
||||
```bash
|
||||
kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
|
||||
kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
|
||||
```
|
||||
|
||||
4. Verify that your chosen storage class is default:
|
||||
@ -237,9 +226,9 @@ The examples above are defined to be automatically set as the default storage cl
|
||||
The output is similar to this:
|
||||
|
||||
```shell-session
|
||||
NAME PROVISIONER AGE
|
||||
some-storage disk.csi.azure.com 1d
|
||||
encrypted-storage (default) azuredisk.csi.confidential.cloud 1d
|
||||
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
|
||||
encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate true 1d
|
||||
integrity-encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate false 1d
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
@ -254,9 +243,9 @@ The examples above are defined to be automatically set as the default storage cl
|
||||
The output is similar to this:
|
||||
|
||||
```shell-session
|
||||
NAME PROVISIONER AGE
|
||||
some-storage (default) pd.csi.storage.gke.io 1d
|
||||
encrypted-storage gcp.csi.confidential.cloud 1d
|
||||
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
|
||||
encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate true 1d
|
||||
integrity-encrypted-rwo gcp.csi.confidential.cloud Delete Immediate false 1d
|
||||
```
|
||||
|
||||
The default storage class is marked by `(default)`.
|
||||
@ -266,13 +255,13 @@ The examples above are defined to be automatically set as the default storage cl
|
||||
If you previously used another storage class as the default, you will have to remove that annotation:
|
||||
|
||||
```bash
|
||||
kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
|
||||
kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
|
||||
```
|
||||
|
||||
3. Mark new class as the default
|
||||
|
||||
```bash
|
||||
kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
|
||||
kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
|
||||
```
|
||||
|
||||
4. Verify that your chosen storage class is default:
|
||||
@ -284,9 +273,9 @@ The examples above are defined to be automatically set as the default storage cl
|
||||
The output is similar to this:
|
||||
|
||||
```shell-session
|
||||
NAME PROVISIONER AGE
|
||||
some-storage pd.csi.storage.gke.io 1d
|
||||
encrypted-storage (default) gcp.csi.confidential.cloud 1d
|
||||
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
|
||||
encrypted-rwo gcp.csi.confidential.cloud Delete Immediate true 1d
|
||||
integrity-encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate false 1d
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
|
Loading…
Reference in New Issue
Block a user