Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. Enabling user-managed encryption for Azure
In OpenShift Container Platform version 4.12, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure DiskEncryptionSet before installation, modify the
install-config.yaml4.1. Preparing an Azure Disk Encryption Set for Day2 Operator
The OpenShift Container Platform installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a
DiskEncryptionSetPrerequisite
You enabled the
feature in your Azure subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". .ProcedureEncryptionAtHostMark the node from the
cluster resource group as unschedulable by using the following command:encyptionAtHost$ oc adm cordon <node_name>Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node:
$ oc adm drain <compute_node> [--pod-selector=<pod_selector>]NoteFor other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section.
De-allocate the node by running the following command:
$ az vm deallocate -n <node_name> -g <cluster_resource_group>Set the
property toencryptionAtHostby running the following command:true$ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=trueStart the node by running the following commands:
$ az vm start -n <node_name> -g <cluster_resource_group>Mark the node as schedulable by using the following command:
$ oc adm uncordon <node_name>Verify that all cluster Operators are available:
$ oc get clusteroperatorsAll Operators should show
,AVAILABLE=True, andPROGRESSING=False.DEGRADED=False-
Repeat the above steps on all the nodes that run .
encryptionAtHost
If you want to enable encryption for your host during cluster installation, specify the following parameters in the
install-config.yamlcompute.platform.azure.encryptionAtHostcontrolPlane.platform.azure.encryptionAtHostplatform.azure.defaultMachinePlatform.encryptionAtHost4.2. Preparing an Azure Disk Encryption Set
The OpenShift Container Platform installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.
Procedure
Set the following environment variables for the Azure resource group by running the following command:
$ export RESOURCEGROUP="<resource_group>" \1 LOCATION="<location>"2 - 1
- Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster.
- 2
- Specifies the Azure location where you will create the resource group.
Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command:
$ export KEYVAULT_NAME="<keyvault_name>" \1 KEYVAULT_KEY_NAME="<keyvault_key_name>" \2 DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>"3 Set the environment variable for the ID of your Azure Service Principal by running the following command:
$ export CLUSTER_SP_ID="<service_principal_id>"1 - 1
- Specifies the ID of the service principal you will use for this installation.
Enable host-level encryption in Azure by running the following commands:
$ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"$ az feature show --namespace Microsoft.Compute --name EncryptionAtHost$ az provider register -n Microsoft.ComputeCreate an Azure Resource Group to hold the disk encryption set and associated resources by running the following command:
$ az group create --name $RESOURCEGROUP --location $LOCATIONCreate an Azure key vault by running the following command:
$ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \ --enable-purge-protection trueCreate an encryption key in the key vault by running the following command:
$ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \ --protection softwareCapture the ID of the key vault by running the following command:
$ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)Capture the key URL in the key vault by running the following command:
$ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \ $KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)Create a disk encryption set by running the following command:
$ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \ $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URLGrant the DiskEncryptionSet resource access to the key vault by running the following commands:
$ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \ $RESOURCEGROUP --query "[identity.principalId]" -o tsv)$ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \ $DES_IDENTITY --key-permissions wrapkey unwrapkey getGrant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands:
$ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \ $RESOURCEGROUP --query "[id]" -o tsv)$ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \1 --scope $DES_RESOURCE_ID -o jsonc- 1
- Specifies an Azure role with read permissions to the disk encryption set. You can use the
Ownerrole or a custom role with the necessary permissions.
4.3. Next steps
Install an OpenShift Container Platform cluster:
- Install a cluster with customizations on installer-provisioned infrastructure
- Install a cluster with network customizations on installer-provisioned infrastructure
- Install a cluster into an existing VNet on installer-provisioned infrastructure
- Install a private cluster on installer-provisioned infrastructure
- Install a cluster into an government region on installer-provisioned infrastructure
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}