OpenStack Cinder CSI driver for Constellation Kubernetes

Important

Constellation is no longer actively maintained by Edgeless Systems.

This project is no longer receiving updates or support from Edgeless Systems. The repository remains available for archival purposes and community use. New development continues in Contrast, which provides workload-level confidential computing using Confidential Containers. 👉 https://github.com/edgelesssys/contrast

This is a fork of the OpenStack Cinder CSI driver with added encryption features for Constellation.

• Upstream source
• Constellation repo

About

This driver allows a Constellation cluster to use Cinder CSI volumes, csi plugin name: cinder.csi.confidential.cloud

Install the driver on a Constellation Kubernetes cluster

Create a cloud configuration:

cat <<EOF > cloud-config.yaml
apiVersion: v1
kind: Secret
metadata:
  name: cinder-csi-cloud-config
  namespace: kube-system
type: Opaque
stringData:
  cloud.conf: |-
      [Global]
      auth-url=<auth-url>
      username=<username>
      password=<password>
      project-id=<project-id>
      project-name=<project-name>
      user-domain-name=<user-domain>
      project-domain-name=<project-domain>
      region=<region>
EOF
kubectl apply -f cloud-config.yaml

Use helm to deploy the driver to your cluster:

helm install cinder-csi cloud-provider-openstack/charts/cinder-csi-plugin --namespace kube-system

See helm configuration for a detailed list on configuration options.

Remove the driver using helm:

helm uninstall cinder-csi -n kube-system

Features

• Please refer to Cinder CSI Features

Enabling integrity protection

By default the CSI driver will transparently encrypt all disks staged on the node. Optionally, you can configure the driver to also apply integrity protection.

Please note that enabling integrity protection requires wiping the disk before use. Disk wipe speeds are largely dependent on IOPS and the performance tier of the disk. If you intend to provision large amounts of storage and Pod creation speed is important, we recommend requesting high-performance disks.

To enable integrity protection, create a storage class with an explicit file system type request and add the suffix -integrity. The following is a storage class for integrity protected ext4 formatted disks:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: integrity-protected
provisioner: azuredisk.csi.confidential.cloud
parameters:
  skuName: StandardSSD_LRS
  csi.storage.k8s.io/fstype: ext4-integrity
reclaimPolicy: Delete
volumeBindingMode: Immediate

Please note that volume expansion is not supported for integrity-protected disks.

Troubleshooting

• CSI driver troubleshooting guide

Kubernetes Development

• Please refer to development guide

To build the driver container image:

driver_version=v0.0.0-test
make REGISTRY=ghcr.io/edgelesssys/constellation VERSION=${driver_version} build-local-image-cinder-csi-plugin
docker push ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${driver_version}

Links

• Kubernetes CSI Documentation
• Container Storage Interface (CSI) Specification

License

This project is licensed under the AGPLv3. It's based on code licensed under the Apache 2.0 license.