Both GKE (GCP) and EKS (AWS) support encryption of dynamically provisioned PV, using customer's own encryption key. This customer key sits in Cloud KMS (GCP) / AWS KMS.
Native integration means, I simply point to KMS ID in storage class.
But the internal behaviour is unclear to me. Where is data encryption key created and stored in cluster? (KMS is for key encryption key , not DEK).
Where is this implementation done - in KMS plugin? Is source code for this plugin open sourced?
pd.csi.storage.k8s.io
CSI will collect the name of a Cloud KMS key and pass it unchanged (see file gce-compute.go , lines 405-425 ) to GCP's v1.compute.disks.insert API call as the DiskEncryptionKey
parameter. It's then the GCE PD driver that takes care of asking Cloud KMS to produce a disk encryption key, the key material never reaches Kube.netes and all secret negotiations happen within Google's.network.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.