search

ceph / ceph-csi

CSI driver for Ceph
Apache License 2.0
1.27k stars 539 forks source link

Testing: Creation a new clone of an encrypted pvc with a different KMSID #2110

Closed Yuggupta27 closed 3 years ago

Yuggupta27 commented 3 years ago

Testing performed:

[TEST 1]: Creation of encrypted clone from an SC that has different KMSID from the SC used by the parent

  1. Create a SC with encryption enabled and encryptionKMSID: "vault-test"
  2. Mount the created PVC to a pod, and write some data
  3. Fetch ImageMeta and verify that encrypted state is "encypted" and mountType is "crypt".
  4. Create a volumesnapshot of the PVC.
  5. Create a new storageclass; where encryption is enabled but it has a different KMSID (say "test-vault-test")
  6. Create a cloned pvc with the new storageclass; mount it to a pod; verify the data.
  7. Validate encryption of the cloned pvc.

Result: The cloned PVC is also encrypted.

[TEST 2]: Creation of encrypted clone using same sc as the parent, but sc is recreated with different KMSID before clone creation

  1. Create a SC with encryption enabled and encryptionKMSID: "vault-test"
  2. Mount the created PVC to a pod, and write some data
  3. Fetch ImageMeta and verify that encrypted state is "encypted" and mountType is "crypt".
  4. Create a volumesnapshot of the PVC.
  5. Delete and Re-create the sc with different KMSID (say "test-vault-test")
  6. Create a cloned pvc with the storageclass; mount it to a pod; verify the data.
  7. Validate encryption of the cloned pvc.

Result: The cloned PVC is also encrypted.

Note: 'test-vault-test' uses the same configuration as 'vault-test' in the 'ceph-csi-encryption-kms-config' configmap.

Question: Are the above-mentioned behavior expected?

Madhu-1 commented 3 years ago

@nixpanic do we need to allow this operation from a security point of view? if the parent PVC or snapshot kmsid is not matching with the request PVC we can fail fast?

nixpanic commented 3 years ago

@nixpanic do we need to allow this operation from a security point of view? if the parent PVC or snapshot kmsid is not matching with the request PVC we can fail fast?

When cloning a volume encrypted with one KMS-configuration, the encryption-passphrase is decrypted and stored according to the destination KMS-configuration. This is expected to work, and allows for migration in case a KMS-service needs replacing.

Madhu-1 commented 3 years ago

Closing this one. Thanks, @nixpanic . Thanks @Yuggupta27 for testing it