Introduction to CipherTrust Transparent Encryption for Kubernetes
Kubernetes is an open-source container-orchestration system that aims to provide a "platform for automating deployment, scaling, and operations of container workloads".
CTE for Kubernetes is an implementation of the CipherTrust Transparent Encryption with native support for Kubernetes through the implementation of a CSI (Container Storage Interface) driver. Unlike traditional CTE, product installation and GuardPoint management is done through Kubernetes. This means that as the cluster scales up with more nodes, CTE for Kubernetes scales with it. CTE for Kubernetes is designed to protect Kubernetes Persistent Storage Claims that are backed by storage with filesystem semantics.
In order to support customers with diverse workloads, registration to CipherTrust Manager has been decentralized from the cluster nodes/ hosts operating system. Registration now happens through the use of Storage Classes which allows for a single cluster, and even a single node, to register different CTE for Kubernetes groups, each with a different set of policies and keys.
CTE Agent and CSI driver are deployed as container images. CTE devices are exposed as Persistent Storage volumes and Customer application containers do not need to be modified.
This document shows some examples on how a customer can protect their pod’s persistent storage data through the use of CTE for Kubernetes.
Prerequisites
The CTE for Kubernetes solution requires the following:
- Kubernetes v1.22 or subsequent versions Kubernetes IO releases
- Available Persistent Storage for protecting with CTE for Kubernetes
- CipherTrust Manager v2.8 and subsequent versions
- Kubernetes nodes with access to the Internet to fetch CTE for Kubernetes images from Docker Hub
- Public Docker Hub credentials for pulling the images
- Helm
- Working Kubernetes Cluster that can communicate with the cluster using
kubectl
Minimum System Requirements
| Pod Type | Memory | CPU |
|---|---|---|
| CTE CSI Controller | 512Mb | 1 |
| CTE CSI Node Server | 512Mb + 100Mb per GuardPoint | 2 |
| CTE CSI Staging pod | 5Mb | 0.1 |
Note
- Encryption CPU requirements on the node server are highly dependent on the workload that is accessing the CTE for Kubernetes encrypted volume. Additional CPU resources may be required depending on the expected number of IOPS for the application
- Applying hard memory limits on the CTE for Kubernetes node server pods can result in the pod being evicted. This will cause a service interruption to the CTE for Kubernetes volume. Hard memory limits are not recommended for the CTE node server.
- Staging pods do not consume any CPU resources after starting and very minimal memory resources after starting.
Audience
This document is intended for personnel responsible for maintaining your organization's security infrastructure. This includes security officers, key manager administrators, and network administrators.
All products manufactured and distributed by Thales Group are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only.
Thales expects that the users of this product are proficient with security concepts and knowledgeable in all aspects of Kubernetes cluster administration and management.
Users must be able to:
-
Install the CTE for Kubernetes CSI driver
-
Create RBAC (role-based access control) rules
-
Add Persistent Storage Claims to a namespace within the Kubernetes cluster
Limitations
- Killing CTE CSI pods can leave a pod with protected volumes in an unusable state. User should terminate all pods using a CTE protected volume before attempting to stop the CTE for Kubernetes service pods.
Support for Managed Clouds
CTE for Kubernetes can be deployed in the following Cloud environments:
- Amazon Elastic Kubernetes Service (AWS)
- Azure Kubernetes Service (Azure)
- Google Kubernetes Engine (GKE)
- Red Hat OpenShift
