In the previous post, Dell EMC CloudLink – Part1, Introduction, we have covered the Dell EMC CloudLink overview and its key features.

One of the hottest topics right now around containers, is ‘Security’, you see, containers changed the game re architecture and as such, customers are looking for various options to protect, secure and encrypt their containers workloads. In fact, let’s take a look at one (out of many..) surveys done by a company called “StackRox”


Security tops the list of concerns with container strategies

“Inadequate investment in security leads the list of concerns users cite about their company’s container strategy (34%). When combined with not taking threats seriously (15%) and not accounting for compliance needs (17%), two-thirds of respondents identify security and compliance as their biggest source of concern.”

Now that we understand how CloudLink works, it’s only natural to go to the next step which is the integration with Kubernetes, Containers, and Cloud native storage.

CloudLink provides seamless security – from edge to core to cloud – with unmatched flexibility, superior reliability, and highly efficient operations. CloudLink provides multiple options for data encryption and key management across a broad spectrum of operating platforms including bare-metal, virtualized, and containerized workloads across public and private clouds, simplifying and streamlining security workflows.

Encryption at the Workload

While most of the storage solutions these days provides DARE (Data at Rest Encryption), encryption at rest though may not be sufficient as workloads move out through the cloud to the edge. To keep data safe in these environments, customers look to implement encryption at the workload as well. In these multi-level encryption environments customers can ensure that their data is encrypted right at the source, remains encrypted as it traverses to storage, and is securely encrypted at rest. Encrypting at the source also gives customers even more control over their data, allowing for cryptographic erasure once the data is no longer needed.

As the datacenter evolves, so does its needs for data encryption. Although Kubernetes a phenomenal platform for container orchestration and management, Kubernetes does not address one of the most critical components of an overall security strategy – data protection. Kubernetes does not provide robust mechanisms to encrypt, manage, and share secrets across a Kubernetes cluster. initially, you will probably leverage secrets management solutions like Vault, but you’ll quickly discover they do not provide a full solution in a container environment.

To keep up with this evolution, CloudLink not only offers Encryption for Machines (VMs and bare metal), we have now added Encryption for Containers to our toolbox. CloudLink supports encrypting Kubernetes container volumes by leveraging the CSI (Container Storage Interface) and we validated this encryption with PowerScale’s and PowerFlex’s own CSI implementation. Encryption for Containers is licensed per CloudLink Center cluster, allowing for the management of up to 25,000 keys for container volume encryption.

How does CloudLink’s encryption for containers work?


CloudLink 7.1 supports data encryption in a Kubernetes containerized environment. CloudLink encryption for containers enables you to encrypt shared volumes in a Kubernetes cluster. This functionality leverages Kubernetes 1.14 to 1.19 Container Storage Interface (CSI), which is customizable to the user environment, and features a quick, easy setup with the UI or REST-API. Encryption of Containers Agents sits between the Application and the CSI Storage Plugin encrypting the application data before it is sent to storage-thus providing both Data at Rest and Data in Motion. One CloudLink Center instance can support multiple Kubernetes clusters. Each Kubernetes cluster node can have multiple Container agents running on it, which includes one Encryption for Containers agent for each driver.

To encrypt data both in flight and at rest in a containerized environment, CloudLink deploys an agent on the container itself. The agent sits between the application and the CSI Storage Plugin. The CSI (Container Storage Interface) is a community standard that abstracts the underlying storage interface away from the application, allowing for multiple back end storage support options without having to change the application itself. Since our agent is deployed directly on the data path, we can ensure that the data is encrypted immediately when the application saves it.

Deploying and managing a container environment can be challenging. Kubernetes strives to keep it as simple as possible but there are a lot of moving parts. The addition of functionality like encryption just makes it even more complicated. To counter this, CloudLink has simplified the deployment process for the agent as much as possible. We have boiled it down to:

  • A configuration file to customize per deployment
  • 2-click initial setup for Kubernetes cluster preparation and authentication
  • 1-click deployment for the CloudLink agent in each Kubernetes cluster

The above allows for dynamic provisioning of encryption for volumes in the environment for fast and easy container data encryption.

Support:

CloudLink 7.1 supports the following:

● Kubernetes version 1.14 to 1.19

● Tanzu Kubernetes version 1.1 or later

● Storage types that support Container Storage Interface (CSI):

○ Generic NFS storage

○ PowerScale (NFS) storage

○ PowerFlex block storage

● Volume types that support CSI:

○ File System provisioning for all storage types

○ Raw Block Volume provisioning for PowerFlex block storage

● FIPS validated dm-crypt crypto module for container block volume encryption

These are the high-level configuration steps for Encryption for Kubernetes using CloudLink 7.1:

1. Deploy CloudLink Center.

2. Create a Kubernetes or a Tanzu Kubernetes cluster as per your requirement.

3. Add a Kubernetes cluster entry to CloudLink Center.

4. The cluster_name_secret.yaml file is downloaded to the Downloads folder.

5. Upload the cluster_name_secret.yaml file as a secret to the Kubernetes cluster or the Tanzu Kubernetes cluster.

6. Build the node and controller Docker images using the Dockerfile in the Kubernetes node plug-in package

7. Push the node and controller Docker images to the Docker registry.

8. Push the NFS plug-in image to the Docker registry. Ensure that you have the NFS plug-in image handy as per your requirement.

9. Use Helm to deploy Encryption for containers in the Kubernetes or the Tanzu Kubernetes cluster.

10. Map the volumes to workloads.

11. Create workload container configuration files that reference the volume claims

How to Configure Encryption for Containers?

  • Login to CloudLink Center and access the Kubernetes Clusters page.
  • Add a new cluster by entering required information.
  • Save the downloaded <cluster_name>_secret.yaml file.
  • Download the CL k8s Node plugin and Docker file from CLCin order to create agent images.
  • Apply the secret to Kubernetes cluster withplanned namespace.
  • Create Encryption for container agent and push to docker server
  • Deploy Encryption for containers agent (Dell EMC CloudLink CSI+ Dell EMC POWERSCALE CSI”) using helm

Helm install –namespace <name> -f defaultvaues.yaml demo http://<CLC-IP&gt;:/cloudlink/kubernetes/sdp/helm/cloudlink-sdp-helmx.x.x.tgz

  • During the process, New encryption of containers agent pods gets created in Kubernetes within the provided namespace

•    After EOC agent gets installed, K8S nodes will be shown under Kubernetes Nodes

•    Deploy PV/PVC and the workload in order to mount volume on workload running on K8S nodes.


•    By navigating back to Cloud Link Center, you’ll see that the volumes count increased to 1

Additional Features:

Raw Block Volume

CloudLink 7.1 supports raw block volume encryption

  • RBV feature allows persistent volumes to be exposed inside containers as a block device instead of as a mounted file system
  • Block devices enable random access to data in fixed-size blocks.
  • Block devices include whole disks, disk partitions, and LUNs from a storage area network (SAN) device.
  • Raw block volumes require cryptsetup (v1 or v2) to be installed on every worker node.

Re-keying

CloudLink 7.1 supports shallow Rekeying (KEK) or Key rotation for existing encrypted volumes which means data is not re-encrypted, only KEK is rotated.

A per-volume action “Re-key volume” is added which will initialize re-keying for the selected volume.

  • For a raw block volume re-keying, only the ReadWriteOnce mode is supported.
  • For a file system volume re-keying, multiple agents may report the same volume. In this case, the operation should be initialized in any one of these agents. The agent which has connected first.

In conclusion, whether you need external key management with Data at Rest Encryption, or workload encryption for Kubernetes CSI deployments, PowerScale, PowerFlex, and CloudLink offer up a reliable, easy to use, flexible solutions that fits your data center.

Here you can see a demo of CloudLink’s encryption for Kubernetes workloads:

A guest post by Tomer Nahumi

Leave a Reply