mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 23:19:52 +00:00
419ad0dd8e
- adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
57 lines
2.4 KiB
YAML
57 lines
2.4 KiB
YAML
---
|
|
apiVersion: storage.k8s.io/v1
|
|
kind: StorageClass
|
|
metadata:
|
|
name: csi-rbd-sc
|
|
provisioner: rbd.csi.ceph.com
|
|
parameters:
|
|
# String representing a Ceph cluster to provision storage from.
|
|
# Should be unique across all Ceph clusters in use for provisioning,
|
|
# cannot be greater than 36 bytes in length, and should remain immutable for
|
|
# the lifetime of the StorageClass in use.
|
|
# Ensure to create an entry in the config map named ceph-csi-config, based on
|
|
# csi-config-map-sample.yaml, to accompany the string chosen to
|
|
# represent the Ceph cluster in clusterID below
|
|
clusterID: <cluster-id>
|
|
# If you want to use erasure coded pool with RBD, you need to create
|
|
# two pools. one erasure coded and one replicated.
|
|
# You need to specify the replicated pool here in the `pool` parameter, it is
|
|
# used for the metadata of the images.
|
|
# The erasure coded pool must be set as the `dataPool` parameter below.
|
|
# dataPool: ec-data-pool
|
|
pool: rbd
|
|
|
|
# RBD image features, CSI creates image with image-format 2
|
|
# CSI RBD currently supports only `layering` feature.
|
|
imageFeatures: layering
|
|
|
|
# The secrets have to contain Ceph credentials with required access
|
|
# to the 'pool'.
|
|
csi.storage.k8s.io/provisioner-secret-name: csi-rbd-secret
|
|
csi.storage.k8s.io/provisioner-secret-namespace: default
|
|
csi.storage.k8s.io/controller-expand-secret-name: csi-rbd-secret
|
|
csi.storage.k8s.io/controller-expand-secret-namespace: default
|
|
csi.storage.k8s.io/node-stage-secret-name: csi-rbd-secret
|
|
csi.storage.k8s.io/node-stage-secret-namespace: default
|
|
# Specify the filesystem type of the volume. If not specified,
|
|
# csi-provisioner will set default as `ext4`.
|
|
csi.storage.k8s.io/fstype: ext4
|
|
# uncomment the following to use rbd-nbd as mounter on supported nodes
|
|
# mounter: rbd-nbd
|
|
|
|
# Instruct the plugin it has to encrypt the volume
|
|
# By default it is disabled. Valid values are “true” or “false”.
|
|
# A string is expected here, i.e. “true”, not true.
|
|
# encrypted: "true"
|
|
|
|
# Use external key management system for encryption passphrases
|
|
# encryptionKMS: vault
|
|
|
|
# String representing KMS configuration. Should be unique and match ID in
|
|
# KMS ConfigMap. The ID is only used for correlation to config map entry.
|
|
# encryptionKMSID: <kms-config-id>
|
|
reclaimPolicy: Delete
|
|
allowVolumeExpansion: true
|
|
mountOptions:
|
|
- discard
|