Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Deploy a CTE for Kubernetes Volume

Allow only Trusted Pods to mount to CTE for Kubernetes volumes

search

Allow only Trusted Pods to mount to CTE for Kubernetes volumes

CTE for Kubernetes allows only trusted pods to access protected data volumes and attach to CTE for Kubernetes claims if you activate this optional feature. CTE for Kubernetes uses signature sets to validate the pod as trusted. Signatures are in the form of key-value pairs which contain the image name and the corresponding hash value. After mapping the image signature with the received signature set, CTE for Kubernetes will allow, or prevent, mounting of the the encrypted volume.

Overview of CTE for Kubernetes for Support for Trusted Pods

Support for Trusted Pods is disabled by default. At least one signature set, with a container image digest, must be attached to a security policy to enable this feature. When the request to mount/publish the volume is received:

  1. CTE for Kubernetes determines whether Support for Trusted Pods is enabled or not by scanning for the presence of signature rules.

  2. Support for Trusted Pods is skipped (default case) if the security policy does not include container signature sets.

  3. CTE for Kubernetes fetches the digests for all containers in the running pod.

  4. CTE for Kubernetes tries to match the digests of running pods to a container image signature set. Support for Trusted Pods is considered successful only if all digests within a running pod have an entry in same signature set.

  5. CTE for Kubernetes checks the logs to determine if it succeeded. If no signature rules exist, the Support for Trusted Pods is disabled.

  6. A new container named cte-csi-signer is added to a controller pod. It will monitor CTE for Kubernetes storage classes for the following operations: creation, deletion and updating. It manages automatic registration as a signer service to CipherTrust Manager.

Workflow for obtaining a Signature Set on CipherTrust Manager and adding it to a Policy

  1. After signing the container image for a specific storage class and namespace, it should display in CipherTrust Manager in the Kubernetes client.

  2. Add a container image source and select a client for signing in the Signature Set page.

  3. Selecting a client for signing.

    K8s Signature Set

  4. Displays a message after a successful signing operation.

    K8s Signature Set

Creating a Signature Set on CipherTrust Manager and adding it to the Policy

Create the signature set in CipherTrust Manager:

  1. See Creating Signature Sets for Container Images. Follow those instructions for creating your Signature Set.

  2. Add the following as a signature rule in the Kubernetes policy to enable Trusted Pod enforcement:

    • Signature set, which contains all of the signatures for all of the containers to which you want to have access

    Unlike normal CipherTrust Manager signature sets, CTE for Kubernetes signature sets do not attach to process sets.

On this page