constellation/docs/versioned_docs/version-2.0/workflows/storage.md
Felix Schuster eb213878a2
Re-wording in docs/workflows (#135)
* Quick pass over create.md

* pass over verify.md

* Re-arrange workflows

* Quick polish of scale.md and upgrade.md

* Quick polish of terminate.md

* Cut recovery.md down

* Brush over ssh

* storage

* Brush over trusted launch VMs

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Add Azure back to title

* Update docs/docs/workflows/verify-cluster.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* fix lint errors

* publish to 2.0

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2022-09-13 15:12:05 +02:00

11 KiB

Use persistent storage

Persistent storage in Kubernetes requires cloud-specific configuration. For abstraction of container storage, Kubernetes offers volumes, allowing users to mount storage solutions directly into containers. The Container Storage Interface (CSI) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. Cloud service providers (CSPs) offer their own CSI-based solutions for cloud storage.

Confidential storage

Most cloud storage solutions support encryption, such as GCE Persistent Disks (PD). Constellation supports the available CSI-based storage options for Kubernetes engines in Azure and GCP. However, their encryption takes place in the storage backend and is managed by the CSP. Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.

To address this, Constellation provides CSI drivers for Azure Disk and GCE PD, offering encryption on the node level. They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.

For more details see encrypted persistent storage.

CSI Drivers

Constellation supports the following drivers, which offer node-level encryption and optional integrity protection.

  1. Azure Disk Storage

    Mount Azure Disk Storage into your Constellation cluster. See the example below on how to install the modified Azure Disk CSI driver or check out the repository for installation and more information about the Constellation-managed version of the driver. Since Azure Disks are mounted as ReadWriteOnce, they're only available to a single pod.

  1. Persistent Disk:

    Mount GCP Persistent Disk block storage into your Constellation cluster. This includes support for volume snapshots, which let you create copies of your volume at a specific point in time. You can use them to bring a volume back to a prior state or provision new volumes. Follow the examples listed below to setup the modified GCP PD CSI driver, or check out the repository for information about the configuration.

Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use Azure Files or GCP Filestore with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet.

Installation

The following installation guide gives an overview of how to securely use CSI-based cloud storage for persistent volumes in Constellation.

  1. Install the CSI driver:
helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
    --namespace kube-system \
    --set linux.distro=fedora \
    --set controller.replicas=1
  1. Create a storage class for your driver

    A storage class configures the driver responsible for provisioning storage for persistent volume claims. A storage class only needs to be created once and can then be used by multiple volumes. The following snippet creates a simple storage class using a Standard SSD as the backing storage device when the first Pod claiming the volume is created.

    cat <<EOF | kubectl apply -f -
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: azuredisk.csi.confidential.cloud
    parameters:
      skuName: StandardSSD_LRS
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    
  1. Install the CSI driver:

    kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
    
  2. Create a storage class for your driver

    A storage class configures the driver responsible for provisioning storage for persistent volume claims. A storage class only needs to be created once and can then be used by multiple volumes. The following snippet creates a simple storage class for the GCE PD driver, utilizing balanced persistent disks as the storage backend device when the first Pod claiming the volume is created.

    cat <<EOF | kubectl apply -f -
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: encrypted-storage
      annotations:
        storageclass.kubernetes.io/is-default-class: "true"
    provisioner: gcp.csi.confidential.cloud
    parameters:
      type: pd-standard
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
    EOF
    

:::info

By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add csi.storage.k8s.io/fstype: ext4-integrity to parameters. Alternatively, you can use another filesystem by specifying another file system type with the suffix -integrity. Note that volume expansion isn't supported for integrity-protected disks.

:::

  1. Create a persistent volume

    A persistent volume claim is a request for storage with certain properties. It can refer to a storage class. The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:

    cat <<EOF | kubectl apply -f -
    kind: PersistentVolumeClaim
    apiVersion: v1
    metadata:
      name: pvc-example
      namespace: default
    spec:
      accessModes:
      - ReadWriteOnce
      storageClassName: encrypted-storage
      resources:
        requests:
          storage: 20Gi
    EOF
    
  2. Create a Pod with persistent storage

    You can assign a persistent volume claim to an application in need of persistent storage. The mounted volume will persist restarts. The following creates a pod that uses the previously created persistent volume claim:

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Pod
    metadata:
      name: web-server
      namespace: default
    spec:
      containers:
      - name: web-server
        image: nginx
        volumeMounts:
        - mountPath: /var/lib/www/html
          name: mypvc
      volumes:
      - name: mypvc
        persistentVolumeClaim:
          claimName: pvc-example
          readOnly: false
    EOF
    

Set the default storage class

The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request storageClassName. In case you need to change the default, follow the steps below:

  1. List the storage classes in your cluster:

    kubectl get storageclass
    

    The output is similar to this:

    NAME                      PROVISIONER                       AGE
    some-storage (default)    disk.csi.azure.com                1d
    encrypted-storage         azuredisk.csi.confidential.cloud  1d
    

    The default storage class is marked by (default).

  2. Mark old default storage class as non default

    If you previously used another storage class as the default, you will have to remove that annotation:

    kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
    
  3. Mark new class as the default

    kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
    
  4. Verify that your chosen storage class is default:

    kubectl get storageclass
    

    The output is similar to this:

    NAME                        PROVISIONER                       AGE
    some-storage                disk.csi.azure.com                1d
    encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
    
  1. List the storage classes in your cluster:

    kubectl get storageclass
    

    The output is similar to this:

    NAME                      PROVISIONER                 AGE
    some-storage (default)    pd.csi.storage.gke.io       1d
    encrypted-storage         gcp.csi.confidential.cloud  1d
    

    The default storage class is marked by (default).

  2. Mark old default storage class as non default

    If you previously used another storage class as the default, you will have to remove that annotation:

    kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
    
  3. Mark new class as the default

    kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
    
  4. Verify that your chosen storage class is default:

    kubectl get storageclass
    

    The output is similar to this:

    NAME                        PROVISIONER                 AGE
    some-storage                pd.csi.storage.gke.io       1d
    encrypted-storage (default) gcp.csi.confidential.cloud  1d