Use persistent storage

Persistent storage in Kubernetes requires cloud-specific configuration. For abstraction of container storage, Kubernetes offers volumes, allowing users to mount storage solutions directly into containers. The Container Storage Interface (CSI) is the standard interface for exposing arbitrary block and file storage systems into containers in Kubernetes. STACKIT offers its own CSI-based solutions for cloud storage.

Constellation provides CSI drivers for OpenStack Cinder, offering encryption on the node level. They mount Cinder block storage volumes into your Constellation cluster, enabling transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.

CSI drivers

Follow the instructions on how to install the Constellation CSI driver or check out the repository for more information.

Installation

The Constellation CLI automatically installs Constellation’s CSI driver for STACKIT in your cluster. If you don’t need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting deployCSIDriver to false in your Constellation config file.

STACKIT comes with two storage classes by default.

• encrypted-rwo
  • Uses disks of storage_premium_perf1 type
  • ext-4 filesystem
  • Encryption of all data written to disk
• integrity-encrypted-rwo
  • Uses disks of storage_premium_perf1 type
  • ext-4 filesystem
  • Encryption of all data written to disk
  • Integrity protection of data written to disk

The default storage class is set to encrypted-rwo for performance reasons. If you want integrity-protected storage, set the storageClassName parameter of your persistent volume claim to integrity-encrypted-rwo.

Alternatively, you can create your own storage class with integrity protection enabled by adding [csi.storage.k8s.io/fstype](http://csi.storage.k8s.io/fstype): ext4-integrity to the class parameters. Or use another filesystem by specifying another file system type with the suffix -integrity, e.g., [csi.storage.k8s.io/fstype](http://csi.storage.k8s.io/fstype): xfs-integrity.

Note that volume expansion isn’t supported for integrity-protected disks.

1. Create a persistent volume. A persistent volume claim is a request for storage with certain properties. It can refer to a storage class. The following creates a persistent volume claim, requesting 20 GB of storage via the encrypted-rwo storage class:

   cat <<EOF | kubectl apply -f -
   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
   name: pvc-example
   namespace: default
   spec:
   accessModes:
   - ReadWriteOnce
   storageClassName: encrypted-rwo
   resources:
   requests:
   storage: 20Gi
   EOF

2. Create a Pod with persistent storage. You can assign a persistent volume claim to an application in need of persistent storage. The mounted volume will persist restarts. The following creates a pod that uses the previously created persistent volume claim:

   cat <<EOF | kubectl apply -f -
   apiVersion: v1
   kind: Pod
   metadata:
   name: web-server
   namespace: default
   spec:
   containers:
   - name: web-server
   image: nginx
   volumeMounts:
   - mountPath: /var/lib/www/html
   name: mypvc
   volumes:
   - name: mypvc
   persistentVolumeClaim:
   claimName: pvc-example
   readOnly: false
   EOF

How to change the default storage class

The default storage class is responsible for all persistent volume claims that don’t explicitly request a storageClassName. Constellation creates a storage class with encryption enabled and sets this as the default class.

To change the default class, follow the steps below:

1. List the storage classes in your cluster:

   kubectl get storageclass

   The default storage class is marked by (default).
2. Mark old default storage class as non default: If you previously used another storage class (in the example below: encrypted-rwo) as the default, you will have to remove that annotation.

   kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'

3. Mark new class as the default:

   kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

4. Verify that your chosen storage class is default:

   kubectl get storageclass

   The output is similar to this:

   NAME                                PROVISIONER                   RECLAIMPOLICY  VOLUMEBINDINGMODE    ALLOWVOLUMEEXPANSION    AGE
   encrypted-rwo                       cinder.csi.confidential.cloud Delete         Immediate            true                    1d
   integrity-encrypted-rwo (default)   cinder.csi.confidential.cloud Delete         Immediate            false                   1d

See also

• Cryptographic algorithms in the Edgeless documentation
• Encrypted persistent storage in the Edgeless documentation
• Service plans Block Storage
• Persistent volumes in the Kubernetes documentation