Managing Kubernetes Clients
Register and view Kubernetes (K8s) clients on the K8s Clients page of the CipherTrust Manager GUI.
Every node of a Kubernetes cluster consumes one CTE for Kubernetes license. The license applies to worker nodes where CSI is attached to the application pod. Refer to CTE Licensing Model for details.
Registering Kubernetes Clients
Registration is the process of configuring a Kubernetes (K8s) client with a CipherTrust Manager. This process creates SSL certificates for further communication between the CipherTrust Manager and the K8s client. Refer to Registering Clients for details.
After registration, the K8s client can communicate with the CipherTrust Manager. All the GuardPolicies applied to the K8s storage group are automatically added to the K8s client. The client configuration is then built for K8s client (exactly like a CTE client) and sent to the client.
After successful registration, the K8s client appears on the K8s Clients page of the CipherTrust Manager GUI. The client status becomes Healthy.
Note
All the K8s clients that you want to attach to a storage group must have the same K8s Namespace and K8s StorageClass.
Viewing Details of Kubernetes Clients
The K8s Clients page shows the total number of K8s clients, clients with errors, clients with warnings, and healthy clients. The Status Bar contains the following tabs:
Total Clients : Shows the total number of registered clients with all types of health status.Errors : Shows the number of clients with errors.Warnings : Shows the number of clients with warnings.Healthy : Shows the number of healthy clients.
Refer to Client States for details.
Click each tab to filter the K8s clients. The clients list displays names of clients in the CipherTrust Manager database and details about their configuration.
To view the details of a K8s client:
Open the Transparent Encryption application.
In the left pane, click Clients > K8s Clients. The list of K8s clients registered with the CipherTrust Manager is displayed. The following details are displayed:
Column Description Status Health status of the K8s client. Client Name Name of the K8s client registered with the CipherTrust Manager. The name is a combination of:
• The node on which the K8s client is running
• The linked StorageClass
• The namespace where the K8s client pod runs
• A random stringAgent Version Version of the CTE for Kubernetes Agent installed on the K8s client. Description Description of the K8s client.
Reregistration and Reenrollment
Unlike a CTE client, when a K8s client crashes or stops, it does not persist any information about its previous interaction with the CipherTrust Manager.
If you try to reregister the K8s client with same name (<node-name>_<csi-storage-class>_<csi-namespace>
), the client is registered as a new client (with a new random string _<random-string>
appended to its name).
After registration:
K8s client sends the enrollment request to the CipherTrust Manager.
CipherTrust Manager checks the request for the node name, namespace, and StorageClass.
CipherTrust Manager removes the existing registration entry of the client (with the old random string).
Viewing GuardPolicies Applied to Kubernetes Clients
To view the GuardPolicies applied to a K8s client:
Open the Transparent Encryption application.
In the left pane, click Clients > K8s Clients. The list of K8s clients registered with the CipherTrust Manager is displayed.
Under Client Name, click the desired client link. The detail view of the K8s client is displayed. The GuardPolicies tab shows the list GuardPolicies applied to the K8s client.
Under Policy, click the expand icon () to the left of the desired policy. The following policy details are displayed:
Column Description Pod Name of the K8s pod. CTE PVC Name Name of the CTE PVC. K8s PVC Name Name of the K8s PVC. K8s PVC Phase Name of the K8s PVC phase. StorageClass Name of the K8s StorageClass. CTE Guard Name Name of the CTE GuardPolicy.
Deleting Kubernetes Clients with Error Status
The Kubernetes clients with the Error status can be deleted from the CipherTrust Manager GUI. Kubernetes clients with other status cannot be deleted.
To delete such a Kubernetes client:
Open the Transparent Encryption application.
In the left pane, click Clients > K8s Clients. The list of K8s clients registered with the CipherTrust Manager is displayed.
Click the Delete button corresponding to the erroneous Kubernetes client (with the status "Error") that you want to delete. A dialog box appears prompting to confirm the action.
Deleting a client is permanent and cannot be undone.
Click Delete.
A request to delete the client is submitted successfully to the CTE Agent. After the CipherTrust Manager receives confirmation from the CTE Agent, the Kubernetes client is deleted and its entry is removed from the K8s Clients page.
Note
You can force delete the Kubernetes clients from the CipherTrust Manager. Run the delete API, and set "force_del_client": true
.