Kubernetes Terminology
The following Kubernetes terms are important to understand when working with CTE for Kubernetes containers.
Container Storage Interface
Container Storage Interface (CSI) is a plugin for Kubernetes that allows the implementation of third-party persistent storage solutions. This provides Kubernetes users more options for storage. CTE for Kubernetes is implemented as a CSI plugin which allows Thales to provide encryption and data protection while using Kubernetes volume configuration semantics.
Persistent Volumes
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator, or dynamically provisioned using Storage Classes. It is a resource in the cluster. PVs are volume plugins like volumes, but have a lifecycle independent of any individual Pod that uses the PV. This API object captures the details of the implementation of the storage.
Unlike other storage plugins, CTE PVs are virtual in nature and do not hold store actual data. They functions as an overlay on top of other Kubernetes PVs. It then encrypts the contents of that PV.
Persistent Volume Claims
A Persistent Volume Claim (PVC) is a request to bind a PV to a namespace. Once claimed, a PV can be attached to any Pod within the same namespace. A PV that has not been claimed is not used by any Pod.
Storage Class
Provides a method for administrators to describe the classes of storage they offer. They are the foundation for defining parameters for dynamic provisioning.
Namespaces
In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Namespaces are a way to divide cluster resources between multiple users.
Note
-
Namespaces cannot be nested inside one another. Each Kubernetes resource can only reside in one namespace.
-
Avoid creating namespaces with the prefix
kube-
. It is reserved for Kubernetes system namespaces. -
Names of the resources need to be unique within a namespace, but not across namespaces.
Pods
A Pod is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. A Pod's contents are always co-located and co-scheduled, and run in a shared context. A Pod models an application-specific "logical host": it contains one or more application containers which are relatively tightly coupled. A pod consumes the nodes resources. In non-cloud contexts, applications executed on the same physical or virtual machine are analogous to cloud applications executed on the same logical host. Pods are the smallest deployable units of computing that you can create and manage in Kubernetes.
CTE Staging Pod
A CTE staging pod is a special pod that mounts on a Persistent Volume available to a Kubernetes cluster, so that CTE can attach the protection layer on top of the PV. CTE for Kubernetes automatically generates a staging pod on the same node where a Pod with a CTE PVC volume is deployed.
Storage Group
Similar, conceptually, to a Client Group. A Kubernetes Storage Group is created in CipherTrust Manager and consists of Kubernetes clients, similar to how a Client group consists of CTE Clients.