数据卷加密
在 HwameiStor 中,用户可以用 LUKS 为本地数据卷进行加密。
注意
目前单副本的加密卷不支持 lvmigrate。
请按照以下步骤来创建和使用加密卷。
1. 创建一个用于加密数据卷的 Secret
具体如下:
apiVersion: v1
data:
key: H4sIAAAAAAAA/+xVP2/bPhDd9SluyGAHUJTgtzFTgPyKLkmDZiwK4kxebNYUSRwp10Xb715IkWzLf5II6eAC3iTe3eO9R/Le1PoJWpEB0AJthcl4J41LxAu0Av67jBlAVIyBdpZpmYgdWmlxQjbWIACBfUlpRlUUEDyn756XRVjm6/WtNMkUrFEo4Gz08OlW3t/c/T/OuLIkn4ylKLIcCkqqWJcUdTRuLOS9DfI63NTml8X5xQ8sbdZSUN49mWmD+c1Pp
MOSBETihVF0551Jnot1193HZQYw885zxxSe0EbKAObVhNhRoiijXqMD5MDekgByOnjjUs2aqSnvp0VfsaKehE1vzVdCnlJ6DgqQMpVBbijXUWiAUNVnJ2BOFJrivchSlpRQbvb9zP45r4N7Q2pgiuTSuoJpSksBo0628XXi6n29derJGnNnp7DMMZjDKr6Ah1ozxShbgefG6cFFq3YiBWRMngVcb/Z37zVdjy7Ox+1isKioJJcEnP28+r3nhJ3XdLx8HrweRid4P
YRN3UAMqGifMhuxNwN293XFrI/ZhocgBq8PoQ0kWyMp7xIaR3wIc5XQe0Wa/aBXVG8VZhj7z/QDGkv612OlFJEmPf6Lynbza98lybdyu+u4W/D6++5usDw4LWcYZ02w9LqytSldNb+dlnW8fPnkejCtemejx483n2/HPax2upWU2Ci5Pe3hy9dhrnN1cp0jdZ35Qk+Od0yfbOdkOyfbeZftvPbA/zXf+RMAAP//IK/8i+YNAAA=
kind: Secret
metadata:
name: hwameistor-encrypt-secret
namespace: hwameistor
type: Opaque
2. 创建一个 StorageClass
使用以下命令创建一个 StorageClass 并指定使用上方创建的 Secret:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-storage-hdd-encrypt
provisioner: lvm.hwameistor.io
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
reclaimPolicy: Delete
parameters:
encryptSecret: hwameistor/hwameistor-encrypt-secret
encryptType: LUKS
replicaNumber: "1"
poolClass: "HDD"
poolType: "REGULAR"
volumeKind: "LVM"
striped: "true"
csi.storage.k8s.io/fstype: "xfs"
3. 创建 PVC 和 Deployment
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: local-storage-pvc-encrypt
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-storage-hdd-encrypt
resources:
requests:
storage: 1Gi
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-local-storage-lvm
labels:
app: nginx-local-storage-lvm
spec:
replicas: 1
selector:
matchLabels:
app: nginx-local-storage-lvm
template:
metadata:
labels:
app: nginx-local-storage-lvm
name: nginx-local-storage-lvm
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 0
containers:
- image: nginx:latest
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
command:
- sh
- -xc
- |
VOL="$( df | grep /usr/share/nginx/html | awk '{print $1,$NF}' )"
echo "<center><h1>Demo volume: ${VOL}</h1></center>" > /usr/share/nginx/html/index.html
nginx -g "daemon off;"
volumeMounts:
- name: html-root
mountPath: /usr/share/nginx/html
resources:
limits:
cpu: "100m"
memory: "100Mi"
volumes:
- name: html-root
persistentVolumeClaim:
claimName: local-storage-pvc-encrypt
4. 检查应用是否被正常创建
# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-local-storage-lvm-79886d9dd-44fsg 1/1 Running 0 20m 100.111.156.91 k8s-node1
5. 检查数据卷是否为加密卷
通过 lsblk 命令可以查看数据卷的 TYPE 是否为 crypt:
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 160G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 159G 0 part
├─centos-root 253:0 0 50G 0 lvm /
├─centos-swap 253:1 0 7.9G 0 lvm
└─centos-home 253:2 0 101.1G 0 lvm /home
sdb 8:16 0 200G 0 disk
└─LocalStorage_PoolHDD-pvc--2c097032--690d--4510--99ad--54119b6b650c 253:3 0 1G 0 lvm
└─pvc-2c097032-690d-4510-99ad-54119b6b650c-encrypt 253:4 0 1008M 0 crypt /var/lib/kubelet/pods/4c2b76f3-a84f-4e62-88c8-a71abeb68efd/volumes/kubernetes.io~csi/pvc-2c097032-690d-4510-99ad-54119b6b650c/mount
sr0 11:0 1 1024M 0 rom
通过 blkid 命令可以查看数据卷的 TYPE 是否为 crypto_LUKS:
# blkid /dev/LocalStorage_PoolHDD/pvc-2c097032-690d-4510-99ad-54119b6b650c
/dev/LocalStorage_PoolHDD/pvc-2c097032-690d-4510-99ad-54119b6b650c: UUID="a1910adf-f1dc-45a4-aeb3-6a8cf045bb9d" TYPE="crypto_LUKS"