Encrypting EVS Disks

Prerequisites

• You have created a cluster and installed the CCE Container Storage (Everest) add-on in the cluster.
• An available key has been created in DEW.
• To create a cluster using commands, ensure kubectl is used. For details, see Connecting to a Cluster Using kubectl.

Using the Console

1. Log in to the CCE console and click the cluster name to access the cluster console.
2. Dynamically create a PVC and PV.
   1. Choose Storage in the navigation pane and click the PersistentVolumeClaims (PVCs) tab. Click Create PVC in the upper right corner. In the dialog box displayed, configure PVC parameters.
   2. Select EVS for the storage type, enable encryption, and choose a key. Configure other parameters based on service requirements. For details, see Using an EVS Disk Through a Dynamic PV.
   3. Click Create.

3. Go to the PersistentVolumeClaims (PVCs) tab and check whether the PVC of the encrypted EVS disk is created and whether the disk is encrypted.
4. The method of using an encrypted PVC is the same as that of using a regular PVC.

Automatically Creating an Encrypted EVS Disk Using kubectl

1. Use kubectl to access the cluster.
2. Create the pvc-evs-auto.yaml file. For details, see Automatically Creating an EVS Volume Through kubectl.

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
     name: pvc-evs-auto
     namespace: default
     annotations:
       everest.io/disk-volume-type: SAS    # EVS disk
       everest.io/crypt-key-id: 37f202db-a970-4ac1-a506-e5c4f2d7ce69   # Encryption key ID, which can be obtained from DEW
     labels:
       failure-domain.beta.kubernetes.io/region: <your_region>   # Region of the node where the application is to be deployed
       failure-domain.beta.kubernetes.io/zone: <your_zone>       # AZ of the node where the application is to be deployed
   spec:
     accessModes:
     - ReadWriteOnce               # The value must be ReadWriteOnce for EVS disks.
     resources:
       requests:
         storage: 10Gi             # EVS disk capacity, ranging from 1 to 32768
     storageClassName: csi-disk    # The storage class is EVS.

3. Run the following command to create a PVC:

   kubectl apply -f pvc-evs-auto.yaml

4. Go to the PersistentVolumeClaims (PVCs) tab and check whether the PVC of the encrypted EVS disk is created and whether the disk is encrypted.