Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Managing Kubernetes Storage Groups and Clients

Managing Kubernetes Clients

search
suggest an edit

Managing Kubernetes Clients

Register and view Kubernetes (K8s) clients on the K8s Clients page of the CipherTrust Data Security Platform Service GUI.

Every node of a Kubernetes cluster consumes one CTE for Kubernetes flex advanced service. The flex advanced service applies to worker nodes where CSI is attached to the application pod. Refer to Get Started with CipherTrust Data Security Platform Services for details.

CDSPaaS supports CTE-K8s client 1.5 and above. Each CDSPaaS service supports up to 50 clients. We recommend up to 100 guardpoints per client. Contact Thales to set up deployments with more than 50 clients or more than 5000 guardpoints.

copy link to clipboardRegistering Kubernetes Clients

Registration is the process of configuring a Kubernetes (K8s) client with a CipherTrust Data Security Platform Service.

After registration, the K8s client can communicate with the CipherTrust Data Security Platform Service. All the GuardPolicies applied to the K8s storage group are automatically added to the K8s client. The client configuration is then built for K8s client (exactly like a CTE client) and sent to the client.

After successful registration, the K8s client appears on the K8s Clients page of the CipherTrust Data Security Platform Service GUI. The client status becomes Healthy.

Note

All the K8s clients that you want to attach to a storage group must have the same K8s Namespace and K8s StorageClass.

copy link to clipboardViewing Details of Kubernetes Clients

The K8s Clients page shows the total number of K8s clients, clients with errors, clients with warnings, and healthy clients. The Status Bar contains the following tabs:

  • Total Clients: Shows the total number of registered clients with all types of health status.

  • Errors: Shows the number of clients with errors.

  • Warnings: Shows the number of clients with warnings.

  • Healthy: Shows the number of healthy clients.

Refer to Client States for details.

Click each tab to filter the K8s clients. The clients list displays names of clients in the CipherTrust Data Security Platform Service database and details about their configuration.

To view the details of a K8s client:

  1. Open the Transparent Encryption application.

  2. In the left pane, click Clients > K8s Clients. The list of K8s clients registered with the CipherTrust Data Security Platform Service is displayed. The following details are displayed:

    ColumnDescription
    StatusHealth status of the K8s client.
    Client NameName of the K8s client registered with the CipherTrust Data Security Platform Service. The name is a combination of:
    • The node on which the K8s client is running
    • The linked StorageClass
    • The namespace where the K8s client pod runs
    • A random string
    Agent VersionVersion of the CTE for Kubernetes Agent installed on the K8s client.
    DescriptionDescription of the K8s client.

copy link to clipboardReregistration and Reenrollment

Unlike a CTE client, when a K8s client crashes or stops, it does not persist any information about its previous interaction with the CipherTrust Data Security Platform Service.

If you try to reregister the K8s client with same name (<node-name>_<csi-storage-class>_<csi-namespace>), the client is registered as a new client (with a new random string _<random-string> appended to its name).

After registration:

  1. K8s client sends the enrollment request to the CipherTrust Data Security Platform Service.

  2. CipherTrust Data Security Platform Service checks the request for the node name, namespace, and StorageClass.

  3. CipherTrust Data Security Platform Service removes the existing registration entry of the client (with the old random string).

copy link to clipboardViewing GuardPolicies Applied to Kubernetes Clients

To view the GuardPolicies applied to a K8s client:

  1. Open the Transparent Encryption application.

  2. In the left pane, click Clients > K8s Clients. The list of K8s clients registered with the CipherTrust Data Security Platform Service is displayed.

  3. Under Client Name, click the desired client link. The detail view of the K8s client is displayed. The GuardPolicies tab shows the list GuardPolicies applied to the K8s client.

  4. Under Policy, click the expand icon (Expand Icon) to the left of the desired policy. The following policy details are displayed:

    ColumnDescription
    PodName of the K8s pod.
    CTE PVC NameName of the CTE PVC.
    K8s PVC NameName of the K8s PVC.
    K8s PVC PhaseName of the K8s PVC phase.
    StorageClassName of the K8s StorageClass.
    CTE Guard NameName of the CTE GuardPolicy.

copy link to clipboardDeleting Kubernetes Clients with Error Status

The Kubernetes clients with the Error status can be deleted from the CipherTrust Data Security Platform Service GUI. Kubernetes clients with other status cannot be deleted.

To delete such a Kubernetes client:

  1. Open the Transparent Encryption application.

  2. In the left pane, click Clients > K8s Clients. The list of K8s clients registered with the CipherTrust Data Security Platform Service is displayed.

  3. Click the Delete button corresponding to the erroneous Kubernetes client (with the status "Error") that you want to delete. A dialog box appears prompting to confirm the action.

    Deleting a client is permanent and cannot be undone.

  4. Click Delete.

A request to delete the client is submitted successfully to the CTE Agent. After the CipherTrust Data Security Platform Service receives confirmation from the CTE Agent, the Kubernetes client is deleted and its entry is removed from the K8s Clients page.

On this page