Protecting Kubernetes Clients

This section describes how to protect Kubernetes (K8s) clients attached to storage groups.

To protect a K8s client:

1. Create a Kubernetes Storage Group

2. Apply a GuardPolicy to the Storage Group

3. Register the Kubernetes Client

These steps are described below.

Create a Kubernetes Storage Group

First of all, you need to create a K8s storage group on the CipherTrust Manager. A storage group refers to a combination of a K8s StorageClass and a K8s Namespace. It is used to group together different K8s pods running on different nodes with the same K8s StorageClass and K8s Namespace. Different storage groups can exist for the same combination of K8s StorageClass and K8s Namespace.

While creating a K8s storage group, the Namespace and StorageClass of the K8s cluster are required. Contact your K8s administrator for these details.

Refer to Creating Kubernetes Storage Groups for details.

Apply a GuardPolicy to the Storage Group

After you have created a K8s storage group, you need to apply a GuardPolicy to it. Until a GuardPolicy is applied, a K8s client attached to the storage group cannot be registered successfully with the CipherTrust Manager.

To add a GuardPolicy to the storage group:

1. Open the Transparent Encryption application.

2. In the left pane, click Clients > K8s Storage Groups. The list of K8s storage groups is displayed.

3. Under Name, click the storage group to which you want to apply a GuardPolicy. The detail view of the K8s storage group is displayed.

4. On the GuardPolicies tab, click Create GuardPolicy. The General Info screen is displayed.

   The Create GuardPolicy screen shows the list of available GuardPolicies. If no policies exist, you can create a new one. You can either select an available GuardPolicy or create a new one. This section describes how to create a new GuardPolicy to a storage group.

   Step 1: General Info

   1. Click Create Policy. The Create Policy wizard is displayed.

   2. Specify a unique Name for the policy. For example, csi-policy.

      • The name must start with a character. The maximum length can be 64 characters.

      • The name can contain alphanumeric characters, underscores ( _ ), and dashes ( - ).

      • The name cannot contain the following special characters:
        ? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "

   3. Select CTE for Kubernetes as the Policy Type. This policy is required to protect K8s clients.

   4. (Optional) Turn on the Learn Mode toggle. A warning message is displayed indicating that the policy is in Learn Mode.

      

      Refer to Learn Mode for details. By default, the toggle is turned off.

   5. (Optional) Turn on the Restrict Update toggle. This option is used to restrict or allow any changes to the policy. By default, the toggle is turned off. This setting can be changed any time after the policy is created. Refer to Controlling Updates to Policies.

   6. Click Next. The Security Rules screen is displayed.

   Step 2: Security Rules

   1. Click Create Security Rule. The Create Security Rule dialog box is displayed.

   2. Specify the following details:

      Field	Description
      User Set	User set for the rule.
      Process Set	Process set for the rule.
      Resource Set	Resource set for the rule.
      Action	Actions for the rule. Refer to Actions for the complete list of supported actions.
      Effect	Effect permission and options for the rule. This is a mandatory field. By default, deny,audit is added.

      Refer to Step 2: Add Security Rules for details on the fields.

   3. Click Add. The newly created security rule appears in the list of security rules.

   4. Click Next. The Key Rules screen is displayed.

   Step 3: Add Key Rules

   If you added a security rule with the Effect ApplyKey on the Security Rules screen, then you must add at least one key rule.

   To add a key rule:

   1. Click Create Key Rule. The Create Key Rule dialog box is displayed.

   2. Select a Key Name. This is a mandatory field.

      1. Click Select next to the field. The Select Key dialog box shows the list of available keys.

         Optionally, you can create a new CBC-CS1 key on this dialog box by clicking Create a New Key. Refer to Step 3: Add Key Rules for details on the fields.

      2. Select the desired CBC-CS1 key. CTE for Kubernetes policies do not support XTS keys.

      3. Click Select. The selected key appears in the Key Name field.

   3. Click Add. The newly created key rule appears in the list of key rules.

   4. Click Next. The Confirmation screen is displayed.

   Step 4: Confirmation

   1. Verify the policy details. The Confirmation screen displays general information about the policy and details of the security and key rules added to the policy.

      If the details are incorrect or you want to modify them, click Back and update the details.

   2. Click Save.

   The newly created CTE for Kubernetes policy appears on the Create GuardPolicy dialog box. Similarly, add as many policies as required.

5. Select the desired policy.

6. Click Save.

The newly created GuardPolicy is displayed on the GuardPolicies tab.

Register the Kubernetes Client

Registration is the process of configuring a Kubernetes (K8s) client with a CipherTrust Manager. This process creates SSL certificates for further communication between the CipherTrust Manager and the K8s client. Refer to Registering Clients for details.

After registration, the K8s client can communicate with the CipherTrust Manager. All the GuardPolicies applied to the K8s storage group are automatically added to the K8s client. The client configuration is then built for K8s client (exactly like a CTE client) and sent to the client.

After successful registration, the K8s client appears on the K8s Clients page of the CipherTrust Manager GUI. The client status becomes Healthy.