Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-08 19:08:40 -05:00
Code Issues Packages Projects Releases Wiki Activity

AB#2615 Update docs to new CSI installation method (#606)

Browse Source 
* Update docs to new CSI installation method

* Fix invalid volume expansion option

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
This commit is contained in:
Daniel Weiße 2022-11-22 09:36:08 +01:00 committed by GitHub
parent 0232c835ca
commit b915d03487
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 70 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/storageclass_integrity.yaml
View File

@ -8,7 +8,7 @@ parameters:
skuname: Premium_LRS skuname: Premium_LRS
csi.storage.k8s.io/fstype: ext4-integrity csi.storage.k8s.io/fstype: ext4-integrity
provisioner: azuredisk.csi.confidential.cloud provisioner: azuredisk.csi.confidential.cloud
allowVolumeExpansion: true allowVolumeExpansion: false
reclaimPolicy: Delete reclaimPolicy: Delete
volumeBindingMode: Immediate volumeBindingMode: Immediate
{{- end }} {{- end }}

2
cli/internal/helm/testdata/Azure/constellation-services/charts/azuredisk-csi-driver/templates/storageclass_integrity.yaml vendored
View File

@ -7,6 +7,6 @@ parameters:
skuname: Premium_LRS skuname: Premium_LRS
csi.storage.k8s.io/fstype: ext4-integrity csi.storage.k8s.io/fstype: ext4-integrity
provisioner: azuredisk.csi.confidential.cloud provisioner: azuredisk.csi.confidential.cloud
allowVolumeExpansion: true allowVolumeExpansion: false
reclaimPolicy: Delete reclaimPolicy: Delete
volumeBindingMode: Immediate volumeBindingMode: Immediate

147
docs/docs/workflows/storage.md
View File

@ -6,7 +6,7 @@ allowing users to mount storage solutions directly into containers.
The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. The [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes.
Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage. Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage.
### Confidential storage ## Confidential storage
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek). Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
Constellation supports the available CSI-based storage options for Kubernetes engines in Azure and GCP. Constellation supports the available CSI-based storage options for Kubernetes engines in Azure and GCP.
@ -54,72 +54,64 @@ Note that in case the options above aren't a suitable solution for you, Constell
## Installation ## Installation
The following installation guide gives an overview of how to securely use CSI-based cloud storage for persistent volumes in Constellation. The Constellation CLI will automatically install Constellation's CSI driver for the selected CSP in your cluster.
If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file.
<tabs groupId="csp"> <tabs groupId="csp">
<tabItem value="azure" label="Azure"> <tabItem value="azure" label="Azure">
1. Install the CSI driver: Azure comes with two storage classes by default.
```bash * `encrypted-rwo`
helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \ * Uses [Standard SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds)
--namespace kube-system \ * ext-4 filesystem
--set linux.distro=fedora \ * Encryption of all data written to disk
--set controller.replicas=1 * `integrity-encrypted-rwo`
``` * Uses [Premium SSDs](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#premium-ssds)
* ext-4 filesystem
* Encryption of all data written to disk
* Integrity protection of data written to disk
2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver For more info on encryption algorithms and key sizes, please refer to [cryptographic-algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
A storage class configures the driver responsible for provisioning storage for persistent volume claims. :::info
A storage class only needs to be created once and can then be used by multiple volumes.
The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
```bash The default storage class is set to `encrypted-rwo` for performance reasons.
cat <<EOF | kubectl apply -f - If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`
apiVersion: storage.k8s.io/v1 Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
kind: StorageClass Or use another filesystem by specifying another file system type with the suffix `-integrity`.
metadata: For example `csi.storage.k8s.io/fstype: xfs-integrity`.
name: encrypted-storage Note that volume expansion isn't supported for integrity-protected disks.
annotations:
storageclass.kubernetes.io/is-default-class: "true" :::
provisioner: azuredisk.csi.confidential.cloud
parameters:
skuName: StandardSSD_LRS
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
EOF
```
</tabItem> </tabItem>
<tabItem value="gcp" label="GCP"> <tabItem value="gcp" label="GCP">
1. Install the CSI driver: GCP comes with two storage classes by default.
```bash * `encrypted-rwo`
kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest * Uses [standard persistent-disks](https://cloud.google.com/compute/docs/disks#pdspecs)
``` * ext-4 filesystem
* Encryption of all data written to disk
* `integrity-encrypted-rwo`
* Uses [performance (SSD) persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs)
* ext-4 filesystem
* Encryption of all data written to disk
* Integrity protection of data written to disk
2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver For more info on encryption algorithms and key sizes, please refer to [cryptographic-algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
A storage class configures the driver responsible for provisioning storage for persistent volume claims. :::info
A storage class only needs to be created once and can then be used by multiple volumes.
The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
```bash The default storage class is set to `encrypted-rwo` for performance reasons.
cat <<EOF | kubectl apply -f - If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`
apiVersion: storage.k8s.io/v1 Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
kind: StorageClass Or use another filesystem by specifying another file system type with the suffix `-integrity`.
metadata: For example `csi.storage.k8s.io/fstype: xfs-integrity`.
name: encrypted-storage Note that volume expansion isn't supported for integrity-protected disks.
annotations:
storageclass.kubernetes.io/is-default-class: "true" :::
provisioner: gcp.csi.confidential.cloud
parameters:
type: pd-standard
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
EOF
```
</tabItem> </tabItem>
<tabItem value="aws" label="AWS"> <tabItem value="aws" label="AWS">
@ -135,17 +127,11 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
</tabItem> </tabItem>
</tabs> </tabs>
:::info 1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
:::
3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties. A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
It can refer to a storage class. It can refer to a storage class.
The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class: The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
```bash ```bash
cat <<EOF | kubectl apply -f - cat <<EOF | kubectl apply -f -
@ -157,14 +143,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClassName: encrypted-storage storageClassName: encrypted-rwo
resources: resources:
requests: requests:
storage: 20Gi storage: 20Gi
EOF EOF
``` ```
4. Create a Pod with persistent storage 2. Create a Pod with persistent storage
You can assign a persistent volume claim to an application in need of persistent storage. You can assign a persistent volume claim to an application in need of persistent storage.
The mounted volume will persist restarts. The mounted volume will persist restarts.
@ -192,8 +178,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
EOF EOF
``` ```
### Set the default storage class ### Change the default storage class
The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
Constellation creates a storage class with encryption enabled and sets this as the default class.
In case you wish to change it, follow the steps below:
<tabs groupId="csp"> <tabs groupId="csp">
<tabItem value="azure" label="Azure"> <tabItem value="azure" label="Azure">
@ -207,9 +196,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this: The output is similar to this:
```shell-session ```shell-session
NAME PROVISIONER AGE NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
some-storage (default) disk.csi.azure.com 1d encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate true 1d
encrypted-storage azuredisk.csi.confidential.cloud 1d integrity-encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate false 1d
``` ```
The default storage class is marked by `(default)`. The default storage class is marked by `(default)`.
@ -219,13 +208,13 @@ The examples above are defined to be automatically set as the default storage cl
If you previously used another storage class as the default, you will have to remove that annotation: If you previously used another storage class as the default, you will have to remove that annotation:
```bash ```bash
kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
``` ```
3. Mark new class as the default 3. Mark new class as the default
```bash ```bash
kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
``` ```
4. Verify that your chosen storage class is default: 4. Verify that your chosen storage class is default:
@ -237,9 +226,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this: The output is similar to this:
```shell-session ```shell-session
NAME PROVISIONER AGE NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
some-storage disk.csi.azure.com 1d encrypted-rwo azuredisk.csi.confidential.cloud Delete Immediate true 1d
encrypted-storage (default) azuredisk.csi.confidential.cloud 1d integrity-encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate false 1d
``` ```
</tabItem> </tabItem>
@ -254,9 +243,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this: The output is similar to this:
```shell-session ```shell-session
NAME PROVISIONER AGE NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
some-storage (default) pd.csi.storage.gke.io 1d encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate true 1d
encrypted-storage gcp.csi.confidential.cloud 1d integrity-encrypted-rwo gcp.csi.confidential.cloud Delete Immediate false 1d
``` ```
The default storage class is marked by `(default)`. The default storage class is marked by `(default)`.
@ -266,13 +255,13 @@ The examples above are defined to be automatically set as the default storage cl
If you previously used another storage class as the default, you will have to remove that annotation: If you previously used another storage class as the default, you will have to remove that annotation:
```bash ```bash
kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
``` ```
3. Mark new class as the default 3. Mark new class as the default
```bash ```bash
kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
``` ```
4. Verify that your chosen storage class is default: 4. Verify that your chosen storage class is default:
@ -284,9 +273,9 @@ The examples above are defined to be automatically set as the default storage cl
The output is similar to this: The output is similar to this:
```shell-session ```shell-session
NAME PROVISIONER AGE NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
some-storage pd.csi.storage.gke.io 1d encrypted-rwo gcp.csi.confidential.cloud Delete Immediate true 1d
encrypted-storage (default) gcp.csi.confidential.cloud 1d integrity-encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate false 1d
``` ```
</tabItem> </tabItem>