Google Cloud KMS in GKE
Portworx integrates with Google Cloud KMS to store your Portworx secrets for Volume Encryption and Cloud Credentials. This guide will help configure Portworx with Google Cloud KMS.
Portworx requires the following Google Cloud credentials to use its APIs
-
Google Application Credentials [GOOGLE_APPLICATION_CREDENTIALS]
Portworx requires permissions to use Google CloudKMS APIs. It requires the following two predefined roles
- roles/cloudkms.cryptoKeyEncrypterDecrypter
- roles/cloudkms.publicKeyViewer
More info about these roles and the included permissions can be found here
-
Google KMS Public Key Resource ID [GOOGLE_KMS_RESOURCE_ID]
Portworx uses Google's asymmetric key pairs to encrypt and decrypt secrets. More information about asymmetric key pairs and how to create them can be found here
Make sure that while creating the asymmetric key you specify the purpose of the key as Asymmetric decrypt
Once the asymmetric key is created, provide its complete resourceID to Portworx. A typical asymmetric key pair's resource ID looks like this
projects/<Project ID>/locations/<Region>/keyRings/<Key Ring Name>/cryptoKeys/<Asymmetric Key Name>/cryptoKeyVersions/1
Portworx requires the above resource ID as an input argument.
For Kubernetes Users
Provide the Google credentials to Portworx by using any one of these methods
Google instance IAM roles (Recommended)
Provide the instances running Portworx privileges to access the GCP API server. This is the preferred method since it requires the least amount of setup on each instance.
-
Owner and Compute Admin Roles
These Roles provides Portworx access to the Google Cloud Storage APIs to provision persistent disks. Make sure the service account for the instances has these roles.
-
Cloud KMS predefined roles
Following predefined roles provide Portworx access to the Google Cloud KMS APIs to manage secrets.
roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/cloudkms.publicKeyViewer
Google Service Accounts
Step 1: Create a service account
Alternatively, you can give Portworx access to the GCP API server via an account file and environment variables. First, you will need to create a service account in GCP and download the account file.
To access the GCP API server, Portworx needs a service account with the following roles
-
Owner and Compute Admin Roles
These Roles provides Portworx access to the Google Cloud Storage APIs to provision persistent disks. Make sure the service account created below has these roles.
-
Cloud KMS predefined roles
Following predefined roles provide Portworx access to the Google Cloud KMS APIs to manage secrets.
roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/cloudkms.publicKeyViewer
Follow these steps to create a service account and download its corresponding account file:
- Create a service account in the "Service Account" section that has the above permissions.
- Go to IAM & admin -> Service Accounts -> (Instance Service Account) -> Select "Create Key" and download the
.json
file.
Step 2: Create a Kubernetes secret for the Google credentials.
Copy the downloaded account file in a directory gcloud-secrets/
and rename it gcloud.json
to create a Kubernetes secret from it.
ls -1 gcloud-secrets
gcloud.json
Create a kubernetes secret with the following command
kubectl -n kube-system create secret generic px-gcloud --from-file=gcloud-secrets/ --from-literal=gcloud-kms-resource-id=projects/<Project ID>/locations/<Region>/keyRings/<Key Ring Name>/cryptoKeys/<Asymmetric Key Name>/cryptoKeyVersions/1
Make sure to replace the Project ID
, Key Ring Name
and Asymmetric Key Name
in the above command.
Step 3: Update the Portworx DaemonSet
-
New installation
When generating the Portworx Kubernetes spec file on the Portworx spec generator page in Portworx Central), select
Google Cloud KMS
from the "Secrets type" list. -
Existing installation
For an existing Portworx cluster follow these steps in the next section
Step 3a: Update the Portworx DaemonSet to use the Google KMS secret store
Edit the Portworx DaemonSet's secret_type
field to gcloud-kms
, so that all the new Portworx nodes will also start using Google Cloud KMS.
kubectl edit daemonset portworx -n kube-system
Add the "-secret_type", "gcloud-kms"
arguments to the portworx
container in the daemonset. It should look something like this:
containers:
- args:
- -c
- testclusterid
- -s
- /dev/sdb
- -x
- kubernetes
- -secret_type
- gcloud-kms
name: portworx
Step 3b: Patch the Portworx DaemonSet
Use the following command to patch the daemon set, so that it has access to the secret created Step 2
Create a patch file
cat <<EOF> patch.yaml
spec:
template:
spec:
containers:
- name: portworx
env:
- name: GOOGLE_KMS_RESOURCE_ID
valueFrom:
secretKeyRef:
name: px-gcloud
key: gcloud-kms-resource-id
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /etc/pwx/gce/gcloud.json
volumeMounts:
- mountPath: /etc/pwx/gce
name: gcloud-certs
volumes:
- name: gcloud-certs
secret:
secretName: px-gcloud
items:
- key: gcloud.json
path: gcloud.json
EOF
Apply the patch
kubectl -n kube-system patch ds portworx --patch "$(cat patch.yaml)" --type=strategic
Using Google Cloud KMS with Portworx
📄️ Encrypting Kubernetes PVCs with Google Cloud KMS
Instructions on using Google Cloud KMS with Portworx for encrypting PVCs