Merge pull request #48347 from xenolinux/encrypt-kms

bergerhoffer · web-flow · commit 0188df43adf5 · 2022-08-30T11:51:22.000-04:00
BZ2070625: Encrypting EBS instance volumes with a KMS key
diff --git a/modules/storage-persistent-storage-volume-encrypt-with-kms-key.adoc b/modules/storage-persistent-storage-volume-encrypt-with-kms-key.adoc
@@ -0,0 +1,82 @@
+// Module included in the following assemblies:
+//
+// * storage/persistent_storage-aws.adoc
+
+:_content-type: PROCEDURE
+[id="aws-container-persistent-volumes-encrypt_{context}"]
+= Encrypting container persistent volumes on AWS with a KMS key
+
+Defining a KMS key to encrypt container-persistent volumes on AWS is useful when you have explicit compliance and security guidelines when deploying to AWS.
+
+.Prerequisites
+
+* Underlying infrastructure must contain storage.
+* You must create a customer KMS key on AWS.
+
+.Procedure
+
+. Create a storage class:
++
+[source,yaml]
+----
+$ cat << EOF | oc create -f -
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: <storage-class-name> <1>
+parameters:
+  fsType: ext4 <2>
+  encrypted: "true"
+  kmsKeyId: keyvalue <3>
+provisioner: ebs.csi.aws.com
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+EOF
+----
+<1> Specifies the name of the storage class.
+<2> File system that is created on provisioned volumes.
+<3> Specifies the full Amazon Resource Name (ARN) of the key to use when encrypting the container-persistent volume. If you do not provide any key, but the `encrypted` field is set to `true`, then the default KMS key is used. See link:https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html[Finding the key ID and key ARN on AWS] in the AWS documentation.
+
+. Create a persistent volume claim (PVC) with the storage class specifying the KMS key:
++
+[source,yaml]
+----
+$ cat << EOF | oc create -f -
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mypvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  storageClassName: <storage-class-name>
+  resources:
+    requests:
+      storage: 1Gi
+EOF
+----
+
+. Create workload containers to consume the PVC:
++
+[source,yaml]
+----
+$ cat << EOF | oc create -f -
+kind: Pod
+metadata:
+  name: mypod
+spec:
+  containers:
+    - name: httpd
+      image: quay.io/centos7/httpd-24-centos7
+      ports:
+        - containerPort: 80
+      volumeMounts:
+        - mountPath: /mnt/storage
+          name: data
+  volumes:
+    - name: data
+      persistentVolumeClaim:
+        claimName: mypvc
+EOF
+----
diff --git a/storage/persistent_storage/persistent-storage-aws.adoc b/storage/persistent_storage/persistent-storage-aws.adoc
@@ -17,7 +17,7 @@ AWS Elastic Block Store volumes can be provisioned dynamically.
 Persistent volumes are not bound to a single project or namespace; they can be
 shared across the {product-title} cluster.
 Persistent volume claims are specific to a project or namespace and can be
-requested by users.
+requested by users. You can define a KMS key to encrypt container-persistent volumes on AWS. 
 
 [IMPORTANT]
 ====
@@ -52,6 +52,8 @@ include::modules/storage-persistent-storage-volume-format.adoc[leveloffset=+1]
 
 include::modules/storage-persistent-storage-aws-maximum-volumes.adoc[leveloffset=+1]
 
+include::modules/storage-persistent-storage-volume-encrypt-with-kms-key.adoc[leveloffset=+1]
+
 [id="additional-resources_persistent-storage-aws"]
 [role="_additional-resources"]
 == Additional resources
