Add Encryption to dynamic provisioner #30792
Comments
|
Added to #29006 via jsafrane#7 |
|
If we add any more non-essential changes to #29006, I will personally NAK that PR until 1.5. That PR is too hard to review as it is. If you want to get this in, send a followup PR with this change as the last commit, and if we get to it, great. Sending a PR on Wednesday 2 days before code freeze does not mean you actually caught the train. It means you are queued up outside the station waiting for a ticket with the rest of the throng. Sorry to come off coarse, but I have done nothing but code review for weeks, and that PR in particular is a BEAR. |
|
I looked at your PR. It's probably fine, but PLEASE PLEASE do it as a On Wed, Aug 17, 2016 at 10:28 PM, Tim Hockin notifications@github.com
|
|
I have some comments and yes, please wait until the large PR is merged. It's complicated enough already. |
|
I'm happy to do a follow-up PR. Thanks for allowing this small addition. I'm glad to have caught the train. |
|
Do we have any similar solution for NFS persistent volumes? |
|
@bambrozio, https://aws.amazon.com/blogs/aws/new-encryption-of-data-in-transit-for-amazon-efs/ was just released, allowing TLS when mounting an (existing) EFS volume on AWS. I guess that both at-rest encryption and in-transit encryption would have to be added as an option to any EFS provisioner (currently there's one in kubernetes-incubator/external-storage). It may be possible to use in-transit encryption standalone with pre-provisioned EFS volumes, though, by specifying the fsType as efs when using local storage. |
|
It looks like now encryption is not supported for static volumes (those with "awsElasticBlockStore") |
Automatic merge from submit-queue Add encryption to EBS dynamic provisioner Resolves kubernetes/kubernetes#30792 Adds encryption to the EBS cloud provider and provisioner. Follow up to #29006 (all commits but the one in this PR will drop out). @kubernetes/sig-storage ```release-note ```
Summary
Encrypted volumes is a commonly requested feature for Kubernetes storage and requirements exist downstream to use encrypted volumes.
The following is a summary of the three cloud providers that allow dynamic provisioning and the current state of volume encryption for each.
TL;DR: Add encryption support for EBS PersistentVolumes. AWS has optional encryption and allows key via the API. GCE encrypts volumes by default but does not allow user-defined keys in the API. GCE allows custom keys via manual volume creation in the UI. Cinder volumes can be manually created w/ encryption.
@kubernetes/sig-storage @abhgupta
@thockin @saad-ali I'm going to follow up with a PR today/tomorrow to meet the 1.4 cutoff on Friday.
Encryption by Cloud Provider
AWS
See:
GCE
See:
Cinder
See:
Proposed
Workflow:
Implementation details:
The text was updated successfully, but these errors were encountered: