Secure your volumes in OCP GCP
Summary and Key concepts
Summary:
This article discusses how to implement encryption for Persistent Volume Claims (PVCs) using the Portworx CSI Driver. It explains two methods for securing CSI-enabled volumes: using Kubernetes secrets or external secret providers (such as Vault, Google KMS, AWS KMS). The article provides detailed steps on how to create and configure StorageClasses with encryption, using either hardcoded or template-based secret values. It also describes how to generate and manage the required tokens for securing PVCs, emphasizing token-based authorization and how to reference these tokens in StorageClass configurations.
Kubernetes Concepts:
- PersistentVolumeClaim (PVC): A request for storage resources from Kubernetes users.
- StorageClass: Defines the class of storage available, with customizable parameters such as replication and encryption.
- Kubernetes Secrets: Used to store and manage sensitive information, like authentication tokens or encryption keys, securely in Kubernetes.
Portworx Concepts:
- Portworx CSI Driver: Enables the use of Portworx storage features such as encryption and snapshots with Kubernetes CSI.
- Encryption with Portworx: Provides support for encrypting storage using keys managed by Portworx or third-party providers.
- PX Security - Shared Secret Model: A method for securing storage with token-based authentication, automatically creating and refreshing user tokens in the Portworx
StorageCluster
.
Encryption with CSI
For information about how to encrypt PVCs on CSI using Kubernetes secrets, see encrypting PVCs on CSI with Kubernetes secrets.
Authorization and Authentication
You can secure your CSI-enabled volumes with token-based authorization. In using token-based authorization, you create secrets containing your token credentials and specify them in your StorageClass in one of two ways:
- Using hardcoded values
- Using template values
You can also mix these two methods to form your own hybrid approach.