mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
419ad0dd8e
- adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
48 lines
1021 B
YAML
48 lines
1021 B
YAML
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: rbd-csi-vault-token-review-psp
|
|
spec:
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- 'configMap'
|
|
- 'secret'
|
|
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
# replace with non-default namespace name
|
|
namespace: default
|
|
name: rbd-csi-vault-token-review-psp
|
|
rules:
|
|
- apiGroups: ['policy']
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames: ['rbd-csi-vault-token-review-psp']
|
|
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rbd-csi-vault-token-review-psp
|
|
# replace with non-default namespace name
|
|
namespace: default
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rbd-csi-vault-token-review
|
|
# replace with non-default namespace name
|
|
namespace: default
|
|
roleRef:
|
|
kind: Role
|
|
name: rbd-csi-vault-token-review-psp
|
|
apiGroup: rbac.authorization.k8s.io
|