Secure your volumes on IKS
Encryption with CSI
For information about how to encrypt PVCs on CSI using Kubernetes secrets, see encrypting PVCs on CSI with Kubernetes secrets.
Authorization and Authentication
You can secure your CSI-enabled volumes with token-based authorization. In using token-based authorization, you create secrets containing your token credentials and specify them in your StorageClass in one of two ways:
- Using hardcoded values
- Using template values
You can also mix these two methods to form your own hybrid approach.
Using hardcoded values
This example secures a storage class by specifying hardcoded values for the token and namespace. Users who create PVCs based on this StorageClass will always have their PVCs use the px-user-token
Secret under the <px-namespace>
namespace.
- Find or create your token secret:
For operator deployment with security enabled, a user token is automatically created and refreshed under px-user-token
in your StorageCluster
namespace. Refer to secure your storage with the Operator for more information.
kubectl get secrets px-user-token -n <px-namespace>
NAME TYPE DATA AGE
px-user-token Opaque 1 23h
-
Modify the storageClass:
If you're using Kubernetes secrets, add the following parameters that are shown in the following example:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-csi-db-encrypted-k8s
provisioner: pxd.portworx.com
parameters:
repl: "3"
secure: "true"
io_profile: auto
io_priority: "high"
csi.storage.k8s.io/provisioner-secret-name: px-user-token
csi.storage.k8s.io/provisioner-secret-namespace: <px-namespace>
csi.storage.k8s.io/node-publish-secret-name: px-user-token
csi.storage.k8s.io/node-publish-secret-namespace: <px-namespace>
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: trueIf you're using another secret provider, such as Vault, Google KMS, AWS KMS, or KVDM, define the desired encryption key in the
secret_key
parameter directly as a parameter on the CSI storage class. For example:apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-csi-db-encrypted-vault
provisioner: pxd.portworx.com
parameters:
repl: "3"
secure: "true"
io_profile: auto
io_priority: "high"
secret_key: px-cluster-key
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
Ensure that the secret called px-cluster-key
exists and contains the value that you can use to encrypt your volumes.
Using template values
This example secures a StorageClass by hardcoding the token and namespace. If you have created PVCs based on this StorageClass, you can have your PVCs use the StorageClass, which you specify in the annotation of your PVC, and the namespace specified in your PVC.
-
Modify the StorageClass, adding the highlighted
csi.storage.k8s.io
parameters:apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-csi-db-encrypted-k8s
provisioner: pxd.portworx.com
parameters:
repl: "3"
secure: "true"
io_profile: auto
io_priority: "high"
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/node-publish-secret-name: ${pvc.name}
csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true -
Create a secret in your PVC's namespace with the same name as the PVC. For example, a PVC named
px-mysql-pvc
must have an associated secret namedpx-mysql-pvc
.
- Get the token as mentioned in Using hardcoded values:
USER_TOKEN=$(kubectl get secrets px-user-token -n <px-namespace> -o json | jq -r '.data["auth-token"]' | base64 -d)
- Create the secret:
kubectl create secret generic px-mysql-pvc -n <px-namespace> --from-literal=auth-token=$USER_TOKEN