Using encrypted disks for persistent volumes

Managed Service for Kubernetes supports the use of Compute Cloud disks encrypted with custom Yandex Key Management Service symmetric keys for persistent volumes.

You can use encrypted disks for both static and dynamic preparation of persistent volumes.

Static volume provisioningStatic volume provisioning

1. Create a symmetric key in Key Management Service.

2. Create an encrypted disk using the key you created earlier.

   Save the ID of the disk. You will need it later.

3. Assign the kms.keys.encrypterDecrypter role for a key or folder to the cloud service account of the Managed Service for Kubernetes cluster.

4. Prepare a persistent volume. In the manifest of the PersistentVolume object, specify the ID of the created disk in the spec:csi:volumeHandle parameter.

Dynamic volume provisioningDynamic volume provisioning

1. Create a symmetric key in Key Management Service.

   Save the ID of the key. You will need it later.

2. Assign the kms.keys.encrypterDecrypter role for a key or folder to the cloud service account of the Managed Service for Kubernetes cluster.

3. Install kubect and configure it to work with the new cluster.

4. In the encrypted-storage-class.yaml file, create a manifest for the new storage class:

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: <storage_class_name>
   provisioner: disk-csi-driver.mks.ycloud.io
   volumeBindingMode: WaitForFirstConsumer
   parameters:
     type: <disk_type>
     csi.storage.k8s.io/fstype: ext4
     kmsKeyId: <symmetric_key_ID>
   allowVolumeExpansion: true
   reclaimPolicy: Delete
   

   Where:

   • metadata:name: Random storage class name.
   • parameters:type: Disk type in Compute Cloud. The possible values are:
     • network-ssd: Network SSD.
     • network-hdd: Network HDD.
     • network-ssd-nonreplicated: Non-replicated SSD.
     • network-ssd-io-m3: Ultra high-speed network storage with three replicas (SSD).
   • parameters:kmsKeyId: Symmetric key ID.

5. Create a storage class:

   kubectl apply -f encrypted-storage-class.yaml
   

6. In the encrypted-pvc.yaml file, create a manifest for the new PersistentVolumeClaim object:

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
     name: <PVC_name>
   spec:
     accessModes:
       - ReadWriteOnce
     storageClassName: <storage_class_name>
     resources:
       requests:
         storage: 4Gi
   

   Where:

   • metadata:name: Random name for the PersistentVolumeClaim object.
   • spec:storageClassName: Name of the storage class created earlier.

7. Create the PersistentVolumeClaim object:

   kubectl apply -f encrypted-pvc.yaml
   

8. In the pod-with-encrypted-pvc.yaml file, create a manifest for the pod with a dynamically prepared persistent volume:

   apiVersion: v1
   kind: Pod
   metadata:
     name: <pod_name>
   spec:
     containers:
       - name: app
         image: ubuntu
         command: ["/bin/sh"]
         args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
         volumeMounts:
           - name: persistent-storage
             mountPath: /data
     volumes:
       - name: persistent-storage
         persistentVolumeClaim:
           claimName: <PVC_name>
   

   Where:

   • metadata:name: Random name for the pod.
   • spec:volumes:persistentVolumeClaim:claimName: Name of the PersistentVolumeClaim object created earlier.

9. Create a pod.

   kubectl apply -f pod-with-encrypted-pvc.yaml
   

   After creating a pod in the management console in Compute Cloud in the Disks section, a new encrypted disk will appear with the k8s-csi prefix in the name.

See alsoSee also

• Volume
• Encryption in Managed Service for Kubernetes
• Encryption in Compute Cloud
• Dynamic volume provisioning
• Static volume provisioning
• Managing storage classes