mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 22:30:23 +00:00
doc: add description for Amazon KMS provider
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
f172e6956b
commit
c4856195a2
@ -280,6 +280,36 @@ Configure a role(s) for service accounts used for ceph-csi:
|
|||||||
* nodeplugin service account (`rbd-csi-nodeplugin`) requires **create** and
|
* nodeplugin service account (`rbd-csi-nodeplugin`) requires **create** and
|
||||||
**read** permissions to save new keys and retrieve existing
|
**read** permissions to save new keys and retrieve existing
|
||||||
|
|
||||||
|
#### Configuring Amazon KMS
|
||||||
|
|
||||||
|
Amazon KMS can be used to encrypt and decrypt the passphrases that are used for
|
||||||
|
encrypted RBD images. When a volume is created, a passphrase will be generated,
|
||||||
|
which will be encrypted by the KMS and stored in the volumes metadata. Upon
|
||||||
|
attaching the volume to a Pod, the worker node requests the KMS to decrypt the
|
||||||
|
passphrase, after which it can be used to open the device with `cryptsetup` and
|
||||||
|
provide access to it for the Pod.
|
||||||
|
|
||||||
|
There are a few settings that need to be included in the [KMS configuration
|
||||||
|
file](../examples/kms/vault/kms-config.yaml):
|
||||||
|
|
||||||
|
1. `KMS_PROVIDER`: should be set to `aws-metadata`.
|
||||||
|
1. `KMS_SECRET_NAME`: name of the Kubernetes Secret (in the Namespace where
|
||||||
|
Ceph-CSI is deployed) which contains the credentials for communicating with
|
||||||
|
AWS. This defaults to `ceph-csi-aws-credentials`.
|
||||||
|
1. `AWS_REGION`: the region where the AWS KMS service is available.
|
||||||
|
|
||||||
|
The [Secret with credentials](../examples/kms/vault/aws-credentials.yaml) for
|
||||||
|
the AWS KMS is expected to contain:
|
||||||
|
|
||||||
|
1. `AWS_ACCESS_KEY_ID`: ID of the key to use for encrypting/decrypting
|
||||||
|
1. `AWS_SECRET_ACCESS_KEY`: secret for the key to use
|
||||||
|
1. `AWS_SESSION_TOKEN`: *(optional)* session token, usually empty
|
||||||
|
1. `AWS_CMK_ARN`: Custom Master Key, ARN for the key used to encrypt the
|
||||||
|
passphrase
|
||||||
|
|
||||||
|
This Secret is expected to be created by the administrator who deployed
|
||||||
|
Ceph-CSI.
|
||||||
|
|
||||||
### Encryption prerequisites
|
### Encryption prerequisites
|
||||||
|
|
||||||
In order for encryption to work you need to make sure that `dm-crypt` kernel
|
In order for encryption to work you need to make sure that `dm-crypt` kernel
|
||||||
|
Loading…
Reference in New Issue
Block a user