當您的業務因為安全需求或法規合規要求等原因,需要對存儲在雲盤上的資料進行加密保護時,您可以在ACK容器叢集中使用雲盤加密功能,無需建構、維護和保護自己的密鑰管理基礎設施,即可保護資料的隐私性和自主性。
使用BYOK建立加密雲盤時,系統需要使用同一地域的密鑰管理服務(KMS)提供的BYOK(Bring Your Own Key)。是以,首次通過控制台或者API使用雲盤加密功能之前,您必須先開通
密鑰管理服務 。1. 建立BYOK
登入
密鑰管理服務控制台建立BYOK并記錄密鑰ID:
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnLxYmYxYzMmJWNhZmZmZWZ0cDMwUmY2MzM5MjNxgTMhRWYiRWY0ImM08CXt92Yu4GZjlGbh5SZslmZxl3Lc9CX6MHc0RHaiojIsJye.png)
2. 建立StorageClass使用BYOK
在ACK容器叢集中建立StorageClass并配置
encrypted: "true"
kmsKeyId: <your BYOK>
使用BYOK,示例如下:
$ cat storageclass-ssd-byok.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: alicloud-disk-ssd-byok
parameters:
type: cloud_ssd
encrypted: "true"
kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
provisioner: alicloud/disk
reclaimPolicy: Delete
$ kubectl apply -f storageclass-ssd-byok.yaml
檢視StorageClass:
$ kubectl get sc
NAME PROVISIONER AGE
alicloud-disk-available alicloud/disk 19m
alicloud-disk-efficiency alicloud/disk 19m
alicloud-disk-essd alicloud/disk 19m
alicloud-disk-ssd alicloud/disk 19m
alicloud-disk-ssd-byok alicloud/disk 28s
3. 建立示例應用建立并挂載雲盤
$ cat deploy.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: disk-ssd-byok
spec:
accessModes:
- ReadWriteOnce
storageClassName: alicloud-disk-ssd-byok
resources:
requests:
storage: 20Gi
---
kind: Pod
apiVersion: v1
metadata:
name: disk-pod-ssd-byok
spec:
containers:
- name: disk-pod-byok
image: nginx
volumeMounts:
- name: disk-pvc-byok
mountPath: "/mnt"
restartPolicy: "Never"
volumes:
- name: disk-pvc-byok
persistentVolumeClaim:
claimName: disk-ssd-byok
$ kubectl apply -f deploy.yaml
檢視PV:
$ kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
d-j6c5jezzajt9ri47lvjs 20Gi RWO Delete Bound default/disk-ssd-byok alicloud-disk-ssd-byok 8s
我們可以在
ECS控制台檢視 volume id為
d-j6c5jezzajt9ri47lvjs
的雲盤是否已加密:
4. 報錯及解決辦法
報錯資訊1:
provision volume with StorageClass "alicloud-disk-ssd-zones-encrypt": Aliyun API Error: RequestId: DA0DD66A-38C0-4C91-98DB-A4D0B27A783A Status Code: 403 Code: UserNotInTheWhiteList Message: The user is not in byok white list.
解決辦法:
給ecs開工單添加使用權限
報錯資訊2:
6bc5d686-1201-11ea-83de-0a58ac160203 Failed to provision volume with StorageClass "alicloud-disk-ssd-zones-encrypt": Aliyun API Error: RequestId: 81FB907C-210F-440F-8C3E-00DEE6BF2A47 Status Code: 403 Code: InvalidParameter.KMSKeyId.KMSUnauthorized Message: ECS service have no right to access your KMS.
使用者賬号需要添加AliyunECSDiskEncryptDefaultRole
5. 其他
更多關于雲盤加密以及BYOK的介紹請參考:
https://help.aliyun.com/document_detail/107972.html