Reputation: 7645
Use gcloud self encrypted disk with Kubernetes
I need to encrypt the data on a block device and allow the Pod to access it as a volume.
I noticed its now possible on Google cloud to encrypt a new disk using Customer-Supplied Encryption Keys
Can I use self encrypted disk with Kubernetes and attach it to the Pod as volume?
If not, is there any other way to encrypt block device (for example LUKS) and use it with Pods?
Upvotes: 3
Views: 484
Answers (2)
Reputation: 8238
My reading of the the Google docs (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) are that no key is required to mount the disk. The keys are only provided at disk creation time.
So, the following should work without changes to kubernetes:
- create encrypted disk "myencrypteddisk" per https://cloud.google.com/compute/docs/disks/customer-supplied-encryption
- create a pod which mounts GCEPD called "myencrypteddisk".
- kubelet will mount the disk on the VM. It's compute scope should be enough to perform the mount, IIUC.
Upvotes: 1
Reputation: 4136
There is not currently integration with this feature, but we should add it, I filed:
https://github.com/kubernetes/kubernetes/issues/13493
Currently you would have to encrypt each file individually, and use the kubernetes secrets to distribute the keys to decrypt those files.
Upvotes: 0
Related Questions
- Is it possible to mount disk to gke pod and compute engine
- Kubernetes Application Level Encryption on GKE
- Kubernetes secrets encryption
- Conecting to GC Storage from a Pod running SpringBoot application
- How to try "Encrypt secret data at rest" feature in GKE
- How to share volume of my google cloud instance with the kubernetes cluster
- Small kubernetes volumes with google persistent disk
- Create disk on Kubernetes without gcloud
- How can I use google cloud storage inside kubernetes?
- Mount kubernetes' volume in development machine