Release Note for CTE for Kubernetes

Container Image Digest

Verify that the Container Image Digest matches the version that you are installing.

New Features and Enhancements

• Added support for CTE for Kubernetes Operator on Amazon EKS ( Elastic Kubernetes Service)

  For the Amazon EKS cluster, the operator is certified and available at: Kubernetes Catalog.

• CTE for Kubernetes Operator supports both x86_64 and arm64 deployment

  CTE for Kubernetes only supports homogeneous Kubernetes clusters, i.e. all nodes of the Kubernetes clusters must be either x86_64 or all nodes must be arm64.

• Added support for Kubernetes Node Pools and Node Affinity

  Refer to Kubernetes documentation for more information on Node pools.

• Added support for Kubernetes Security Context Option

  The Kubernetes fsGroup security context attribute is now supported in CTE for Kubernetes.

  See Configure a Security Context for a Pod or Container

• Added Kubernetes cluster information support for the CipherTrust Manager AgentInfo Collection script

  When triggered from the CipherTrust Manager RestAPI, agentinfo now gathers information such as cluster-info and storage classes, as well as, PV and PVC information from the Kubernetes cluster. To trigger, use the CipherTrust Manager Rest API:

  /v1/transparent-encryption/clients/{id}/get-agentinfo
  /v1/transparent-encryption/clients/{id}/download-agentinfo
  /v1/transparent-encryption/clients/{id}/check-agentinfo
  

• Added support for VMWare Tanzu Kubernetes Grid (TKG) platform

  See Vmware Tanzu for more information.

• Added support for OpenShift New metadata format for operator annotations

  See Guidance for Operator authors on OpenShift about new annotations format for more information.

Resolved Issues

• AGT-51326: FSGroupID is not supported for NFS storage

  The fsgroup ID Security Context option is not supported with NFS volumes. It is only supported with local storage. This is a limitation from Kubernetes and not an issue with the CTE-U Fuse driver.

• AGT-55118: Dataxform key rotation is not working

  Updated the documentation for Data Transformation. See Data Transformation for CTE for Kubernetes

Known Issues

• AGT-39000: CipherTrust Manager may not report all pods using the same CTE PVC on the same node

  Work-around:

  CTE PVCs with the following access modes: ReadWriteOnce, ReadWriteMany or ReadOnlyMany, may fail to report to CipherTrust Manager all of the pods using the same volume on the same node. This anomaly is due to how Kubernetes handles a single volume used across multiple pods in the same node. This reporting anomaly in CipherTrust Manager does not mean that the CTE PVC is not attached to the pod. It is recommended that the user describe the CTE PVC (# kubectl describe pvc) to find the list of all of the pods that are using a particular CTE PVC.

• AGT-41592: CTE for Kubernetes client does not display the active Data Transformation guard policy during Data Transformation

  When Data Transformation is running, the Guard Policy does not display as active on CipherTrust Manager, because it does not send any Guard Policy details to CipherTrust Manager. Only after the production policy is applied to the GuardPoint do the details populate CipherTrust Manager.

• AGT-48209: Operators do not appear to delete

  Some resources created by the operator are not being cleaned up properly. This issue can be safely ignored.

• AGT-48396: CTE-CSI | Container Attestation Issue | CM2.13, CM2.14

  The Trusted Pods feature currently only works with CipherTrust Manager v2.14 and subsequent versions.

• AGT-55332: Agentinfo script fails to execute if CTE for Kubernetes is deployed using Operator v1.4.13

  Executing the agentinfo command on the API playground fails on CTE-K8s nodes. The issue occurs because of missing permissions on the cte-csi-node-ca Cluster Role created by the operator. These permissions are required by the agentinfo command to get cluster-wide information.

  Work-around:

  1. Create a file named cte-csi-node-role.yaml with the following contents:

     kind: ClusterRole
     apiVersion: rbac.authorization.k8s.io/v1
     metadata:
     name: cte-csi-node-ac
     rules:
     - apiGroups: [""]
         resources: ["namespaces"]
         verbs: ["list", "watch", "get"]
     
     - apiGroups: [""]
         resources: ["pods"]
         verbs: ["create", "list", "delete", "get", "patch"]
     
     - apiGroups: [""]
         resources: ["configmaps"]
         verbs: ["create", "get", "list", "update", "delete"]
     
     - apiGroups: [""]
         resources: ["persistentvolumes"]
         verbs: ["get", "list", "watch", "patch"]
     
     - apiGroups: [""]
         resources: ["nodes"]
         verbs: ["get", "list"]
     
     - apiGroups: [""]
         resources: ["persistentvolumeclaims"]
         verbs: ["get", "list", "patch"]
     
     - apiGroups: ["storage.k8s.io"]
         resources: ["csinodes", "storageclasses"]
         verbs: ["get", "list", "watch", "patch"]
     
     - apiGroups: ["storage.k8s.io"]
         resources: ["volumeattachments"]
         verbs: ["get", "list", "watch", "patch"]
     
     - apiGroups: ["storage.k8s.io"]
         resources: ["volumeattachments/status"]
         verbs: ["patch"]
     
     - apiGroups: [""]
         resources: ["secrets"]
         verbs: ["get", "list"]
     
     - apiGroups: ["coordination.k8s.io"]
         resources: ["leases"]
         verbs: ["get", "watch", "list", "delete", "update", "create"]
     
     - apiGroups: ["", "apps"]
         resources: ["daemonsets", "deployments", "replicasets", "events", "replicationcontrollers", "services", "pods/log"]
         verbs: ["get", "list"]
     
     - apiGroups: ["security.openshift.io"]
         resources: ["securitycontextconstraints"]
         resourceNames: ["cte-csi-scc"]
         verbs: ["use"]
     

  2. Execute the following command:

     kubectl apply -f  cte-csi-node-role.yaml
     

  Note

  Customers using Helm as their deployment method are not impacted.