-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
csi: add cephfs encryption support #14199
base: master
Are you sure you want to change the base?
Conversation
df2dbed
to
fdd5df5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also document how to use CephFS + fscrypt
?
Yes, ideally, @parth-gr, but currently, I don't have an official ISO image that supports kernel 6.6 and works with Minikube for development purposes. However, if it's acceptable to leave the kernel-related details to the reader, I can proceed with documenting the process and create some deployment examples. |
lets wait for there ideas @travisn @iamniting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While talking to @Rakshith-R I got to know we also need the below permissions in both the clusterroles
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
fdd5df5
to
1e6f92c
Compare
Thanks for pointing it out, I had only used it with a secret directly and thus I missed this detail! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has expanded to more than helm. How about the commit prefix manifest:
, and also more description in the commit message for the privileges being added?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes looks good to me, I leave the other decisions to Travis.
1e6f92c
to
fd795ce
Compare
2b83d43
to
f74e4be
Compare
Thanks @travisn for pointing out that commit message was not descriptive, sorry for that! Also managed to close the PR once while updating it 😅 |
we should have the feature documented IMO, with this PR or a follow up never mind |
LGTM, @Rakshith-R please also review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks,
It looks good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the target is only to update RBAC the changes looks good but for complete implementation, As per we are enabling a Key CSI_ENABLE_ENCRYPTION
in the configmap https://rook.io/docs/rook/latest-release/Storage-Configuration/Ceph-CSI/ceph-csi-drivers/?h=encryption#enable-rbd-encryption-support, when this key is set we need to mount configmap to the cephfs as well like we do for rbd which is missing in this PR.
I see your point @Madhu-1, I did not initially considered it in this PR as it is outside of the scope of the issue I submitted. However, I am not opposed to extending the scope of this PR as it probably would make most sense to finish it all at once, depending on what others who have partaken in the conversation think? I should be able to extend this PR in reasonable time I found the rbd PR #9940 for reference |
@NymanRobin yes you are correct, Thanks for looking for the RBD implementation as well. For me the change is not that big we can accommodate in this PR and get it done instead of sending one more PR for implementation and document. |
f74e4be
to
51ec490
Compare
Ceph-CSI support for fscrypt encryption of cephfs. To achieve this commit add capability of mounting the required `rook-ceph-csi-kms-config` configmap into csi-cephfsplugin-provisioner and nodeplugin pods. Further it modifies the ClusterRoles `cephfs-csi-nodeplugin` and `cephfs-external-provisioner-runner` to grant privileges required for reading encryption configuration and fetching encryption secrets from either kubernetes secrets or from a Key Management System (KMS). These privileges are essential for the proper functioning of ceph-csi-cephfs with fscrypt encryption. The following privileges have been added: - `secrets/get`: Allows reading of secrets for encryption. - `configmaps/get`: Grants access to configuration maps, this is used to read encryption configuration. - `serviceaccounts/get`: Enables retrieval of service accounts for authentication to KMS and for retrieving encryption secrets stored there. - `serviceaccounts/token/create`: Allows creation of service account tokens, which are required for authenticating requests to KMS when retrieving encryption secrets. The commit also updated the csi documentation to include cephfs in the encryption section, with examples updated accordingly. Signed-off-by: NymanRobin <[email protected]>
51ec490
to
05315ae
Compare
I have updated the pull request to include the mounting of the ConfigMap and the relevant documentation. |
Ceph-CSI support for fscrypt encryption of cephfs.To achieve this commit add capability of mounting the required
rook-ceph-csi-kms-config
configmap into csi-cephfsplugin-provisioner and nodeplugin pods.Further it modifies the modifies the ClusterRoles
cephfs-csi-nodeplugin
andcephfs-external-provisioner-runner
to grant privileges required for reading encryption configuration and fetching encryption secrets from either kubernetes secrets or Key Management System (KMS).These privileges are essential for the proper functioning of ceph-csi-cephfs with fscrypt encryption.
The following privileges have been added:
secrets/get
: Allows reading of secrets for encryption.configmaps/get
: Grants access to configuration maps, this is used to read encryption configuration.serviceaccounts/get
: Enables retrieval of service accounts for authentication to KMS and encryption secret retrieval from there.serviceaccounts/token/create
: Allows creation of service account tokens, required for authenticating request to KMS when retrieving encryption secrets.The commit also updated the csi documentation to include cephfs in the encryption section, with examples updated accordingly.
This changes fixes: #14035