Using encrypted disks for persistent volumes

Managed Service for Kubernetes supports the use of Compute Cloud disks encrypted with custom Yandex Key Management Service symmetric keys for persistent volumes.

You can use encrypted disks for both static and dynamic provisioning of persistent volumes.

Static volume provisioningStatic volume provisioning

1. Create a symmetric key in Key Management Service.

2. Create an encrypted disk using the key you created.

   Save the disk ID for later use.

3. Assign the kms.keys.encrypterDecrypter role for a key or folder to the cloud service account of the Managed Service for Kubernetes cluster.

4. Provide a persistent volume. In the PersistentVolume manifest, specify the ID of the disk you created in the spec:csi:volumeHandle parameter.

Dynamic volume provisioningDynamic volume provisioning

1. Create a symmetric key in Key Management Service.

   Save the key ID for later use.

2. Assign the kms.keys.encrypterDecrypter role for a key or folder to the cloud service account of the Managed Service for Kubernetes cluster.

3. Install kubect and configure it to work with the new cluster.

4. In the encrypted-storage-class.yaml file, create a manifest for the new storage class:

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: <storage_class_name>
   provisioner: disk-csi-driver.mks.ycloud.io
   volumeBindingMode: WaitForFirstConsumer
   parameters:
     type: <disk_type>
     csi.storage.k8s.io/fstype: ext4
     kmsKeyId: <symmetric_key_ID>
   allowVolumeExpansion: true
   reclaimPolicy: Delete
   

   Where:

   • metadata:name: Any storage class name.
   • parameters:type: Disk type in Compute Cloud. The possible values are:
     • network-ssd: Network SSD.
     • network-hdd: Network HDD.
     • network-ssd-nonreplicated: Non-replicated SSD.
     • network-ssd-io-m3: Ultra high-speed network storage with three replicas (SSD).
   • parameters:kmsKeyId: Symmetric key ID.

5. Create a storage class:

   kubectl apply -f encrypted-storage-class.yaml
   

6. In the encrypted-pvc.yaml file, create a manifest for the new PersistentVolumeClaim:

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
     name: <PVC_name>
   spec:
     accessModes:
       - ReadWriteOnce
     storageClassName: <storage_class_name>
     resources:
       requests:
         storage: 4Gi
   

   Where:

   • metadata:name: Any name for the PersistentVolumeClaim.
   • spec:storageClassName: Name of the storage class you created earlier.

7. Create a PersistentVolumeClaim:

   kubectl apply -f encrypted-pvc.yaml
   

8. In the pod-with-encrypted-pvc.yaml file, create a manifest for the pod with a dynamically provisioned persistent volume:

   apiVersion: v1
   kind: Pod
   metadata:
     name: <pod_name>
   spec:
     containers:
       - name: app
         image: ubuntu
         command: ["/bin/sh"]
         args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
         volumeMounts:
           - name: persistent-storage
             mountPath: /data
     volumes:
       - name: persistent-storage
         persistentVolumeClaim:
           claimName: <PVC_name>
   

   Where:

   • metadata:name: Any name for the pod.
   • spec:volumes:persistentVolumeClaim:claimName: Name of the PersistentVolumeClaim you created earlier.

9. Create a pod:

   kubectl apply -f pod-with-encrypted-pvc.yaml
   

   After you create the pod, a new encrypted disk with k8s-csi prefixed to its name will appear under Compute Cloud in Disks in the management console.

See alsoSee also

• Volume
• Encryption in Managed Service for Kubernetes
• Encryption in Compute Cloud
• Dynamic volume provisioning
• Static volume provisioning
• Managing storage classes