Volume Cloning Support

A clone is an exact duplicate of an existing Kubernetes Volume. It can be consumed as any standard Volume would be consumed. A Volume clone allows for specifying existing PVCs in the dataSource field of the .yaml file to indicate that you want to clone a volume.

Considerations

• Cloning support is only available with dynamic volume provisioning. Cloning cannot occur on static/manual volumes.

  Make sure that the storage provisioning driver that you use supports dynamic volume provisioning and volume cloning support. Check the storage driver list and respective storage driver documentation (CSI Drivers doc) to ensure support.

• You can only clone a PVC when it exists in the same namespace as the destination PVC.

• Newly created PVCs are independent objects. They can be consumed, cloned, snapshot, or deleted independently and without consideration for the original source PVC. This means that the source is not linked to the newly-created clone so it can be modified or deleted without affecting the original clone.

• The source CTE-PVC must be bound and available.

Cloning an existing CTE-PVC

Prerequisites

• The source CTE-PVC that you want to clone contains encrypted data and is bound and available on a system using dynamic provisioning.

Provisioning a Storage Class

In the following example:

• It uses a supported NFS-CSI driver

• The application pod is running with the CTE-PVC (cte-claim)

• The claim is using the CTE-StorageClass (cte-test-sc) and is bound and available

• cte-test-sc is using nfs-csi-sc-imm (nfs.csi.k8s.io) source storageClass for NFS

cte-csi-storageClass.yaml (CTE-SC)

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
    name: cte-test-sc
provisioner: csi.cte.cpl.thalesgroup.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
    # Domain name or IP address of the CipherTrust Manager (Required)
    key_manager_addr: 192.168.70.1

    # Name of the CipherTrust Manager K8s Storage Group (Required)
    k8_storage_group: k8s-group1

    # Kubernetes Secret with CM registration token (Required)
    registration_token_secret: cm-reg-token

    # To provision a volume dynamically, add the underlying source storageClass.
    # CTE-K8s driver creates source_pvc dynamically on this source storageClass.
    # A new volume will be provisioned by the respective underlying provisioner.   (Optional)(Required only for Dynamic PVC)
    # Taking an nfs provisioner driver (nfs.csi.k8s.io) example: nfs-csi-sc-imm
    source_storage_class: <underlying_source_sc_name>

    # When specified and set to "true", this parameter is used to automatically
    # delete the dynamically provisioned sourcePVC. This might delete the actual data volume, depending
    # on the underlying provisioner driver implementation. Default is set as "false".  (Optional)
    allow_source_pvc_delete: "false"

    # When specified, this parameter is used to automatically add the
    # csi.cte.cpl.thalesgroup.com/policy parameter to the CTE-K8s PVC based on
    # the requested parameters.  (Optional)(Required if source_storage_class is set)
    default_policy: <policy_1>

    # Time in minutes to wait before unregistering from the CipherTrust Manager
    # once all volumes have been unguarded. Parameter must be added as a string
    # integer value. Default "10" minute. (Optional)
    registration_period: "10"

PVC Claim Example

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: cte-claim
    annotations:
    # If the following field is used then this policy will be used as the default_policy: <policy_1> in CTE-SC.
        csi.cte.cpl.thalesgroup.com/policy: policy_1
    # If the following field is used then the volume bounded with this pvc1 must be a dynamically provisioned volume,(optional)
        csi.cte.cpl.thalesgroup.com/source_pvc: <pvc1>   
spec:
    storageClassName: cte-test-sc
    accessModes:
        - ReadWriteMany
    resources:
        requests:
            storage: 1Gi

Examples for PV, PVC, SC

kubectl get sc

:~/volumeSnapshot$ kubectl get sc,pvc,pv
NAME                                      PROVISIONER                   RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
storageclass.storage.k8s.io/cte-test-sc   csi.cte.cpl.thalesgroup.com   Delete          Immediate           true                   13m
storageclass.storage.k8s.io/nfs-csi-imm   nfs.csi.k8s.io                Delete          Immediate           false                  56d

kubectl get pvc

NAME                                                                 STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/cte-claim                                      Bound    pvc-b168e8d9-e26b-4515-aab2-91dc241ce74a   2Gi        RWX            cte-test-sc    <unset>                 13m
persistentvolumeclaim/cte-claim-unprotected-cprfnzjxjxg3gpyabrqh5d   Bound    pvc-4183880c-6480-43e8-9564-b9f06fe557bf   2Gi        RWX            nfs-csi-imm    <unset>                 13m

kubectl get pv

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                                                  STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
persistentvolume/pvc-4183880c-6480-43e8-9564-b9f06fe557bf   2Gi        RWX            Delete           Bound    default/cte-claim-unprotected-cprfnzjxjxg3gpyabrqh5d   nfs-csi-imm    <unset>                          13m
persistentvolume/pvc-b168e8d9-e26b-4515-aab2-91dc241ce74a   2Gi        RWX            Delete           Bound    default/cte-claim                                      cte-test-sc    <unset>                          13m

Verifying that the source CTE-PVC is valid to for cloning

1. Get the sourcePVC name which is attached to the source CTE-PVC, type:

   kubectl get pv $(kubectl get pvc <Source_CTE-PVC_Name> -n <NameSpace> -o wide --no-headers -o custom-columns=":spec.volumeName") -o wide --no-headers -o custom-columns=":spec.csi.volumeAttributes" | awk '{for (i=1;i<=NF;i++){if ($i ~/csi.cte.cpl.thalesgroup.com\/source_pvc:/) {print $i}}}' | awk -F: '{print $2}'
   

   <Source_CTE-PVC_Name>: source CTE-PVC name. For example: cte-claim.

   <NameSpace> : namespace in which the above CTE-PVC is deployed.

   Example Response:

   cte-claim-unprotected-<UID#>
   

2. Verify that the sourcePVC, if bounded with dynamically-provisioned volume, type:

   kubectl get pv $(kubectl get pvc <SourcePVC_Name> -n <NameSpace> -o wide --no-headers -o custom-columns=":spec.volumeName") -o wide --no-headers -o custom-columns=":spec.csi"
   

   • <SourcePVC_Name>: SourcePVC name obtained from previous command.

   • <NameSpace>: namespace in which the source CTE-PVC is deployed.

   Example Response

   • If the source volume is provisioned-dynamically, then the output will contain data, for example:

     map[driver:nfs.csi.k8s.io map[csi.storage.k8s.io/pv/name:pvc-caff4502-0123-4391-927a-5efa5cbb12d9 csi.storage.k8s.io/pvc/name:cte-claim-unprotected-mi5eclhwd4dyhjrjeqicbd csi.storage.k8s.io/pvc/namespace:default server:<some-IP> share:<share-path> storage.kubernetes.io/csiProvisionerIdentity:1724596308482-728-nfs.csi.k8s.io subdir:pvc-caff4502-0123-4391-927a-5efa5cbb12d9] volumeHandle:<Some-IP>.#<share-path>#pvc-caff4502-0123-4391-927a-5efa5cbb12d9##]
     

   • If the sourcePVC contains a volume which is not dynamically-provisioned then the output will not contain data.

   Note

   • If the sourcePVC contains a volume that is bounded but not dynamically-provisioned, then you cannot clone the source, CTE-PVC (for example: cte-claim).

Creating a Clone

To provision a volume clone:

1. Add a reference to an existing CTE Persistent Volume Claim (source CTE-PVC) in the same namespace of the data Source field of a new CTE Persistent Volume Claim (clone CTE-PVC).

   cte-csi-claim-clone.yaml (clone CTE-PVC)

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
       name: clone-of-cte-claim
       annotations:
           csi.cte.cpl.thalesgroup.com/policy: policy_1
           # The following field is not required. A new sourcePVC will be created by the cte-k8s driver and a new volume will be provisioned with cloned data.
           # csi.cte.cpl.thalesgroup.com/source_pvc: <source-pvc>    
   spec:
       storageClassName: cte-test-sc
       accessModes:
           - ReadWriteMany
       resources:
           requests:
               storage: 1Gi
       dataSource:
           kind: PersistentVolumeClaim
           # source CTE-PVC, from which you want to make the clone
           name: cte-claim
   

   Note

   • The namespace of the clone, CTE-PVC (cte-csi-claim-clone.yaml), must be the same as the namespace of the source CTE-PVC (cte-csi-claim.yaml)

   • You must specify a capacity value for spec.resources.requests.storage with the clone CTE-PVC. The value specified must be the same or larger than the capacity of the source volume.

   • The csi.cte.cpl.thalesgroup.com/source_pvc annotation in the clone CTE-PVC (cte-csi-claim-clone.yaml) is not required. A new sourcePVC (source_pvc) is created by the CTE for Kubernetes driver and a new volume is created with the cloned data.

   • The Policy used with the clone CTE-PVC (cte-csi-claim-clone.yaml) must be the same, as the policy used with the source CTE-PVC (cte-csi-claim.yaml).

   • The underlying storage driver provisioned/used with the source CTE-PVC and the clone CTE-PVC must be the same. Cloning with different storage provisioners is not supported.

   • You can use the same, or a different, CTE-Storage Class (spec.storageClassName) with the clone CTE-PVC, but the underlying source Storage Class driver must be the same for the source CTE-PVC and the clone CTE-PVC.

   • You can use the same, or a different, volume Access Mode (spec.accessModes) with the clone CTE-PVC.

2. Deploy the clone CTE-PVC, type

   kubectl apply -f cte-csi-claim-clone.yaml
   

Based on the CTE storage class volumeBindingMode, and the underlying source storage class volumeBindingMode, CTE for Kubernetes provisions a new volume with cloned data as follows: