This blog was written in collaboration with Maksim Yankovskiy, CTO and vice president of engineering at Zettaset.
Accelerated by digital transformation and emphasized by an increasing number of data breaches, data protection is one of the top issues for enterprises. The need for data protection extends beyond those within compliance regulations. At the same time, legacy approaches to data protection, such as infrastructure or storage system-based encryption, does not satisfy the basic requirements of modern microservices environments: granularity, transparency, and performance.
Red Hat OpenShift Service on AWS (ROSA) provides a turn-key managed Red Hat OpenShift Container Platform service running natively on Amazon Web Services.
Red Hat Advanced Cluster Management for Kubernetes (RHACM) allows organizations to manage, scale, and extend large Red Hat OpenShift deployments for a consistent experience across on-premises, hybrid cloud, public cloud, and multicloud deployments.
Zettaset XCrypt Data Encryption Platform is a native Kubernetes and Red Hat OpenShift data protection solution that provides automated deployment, granular encryption, along with centralized management and monitoring in a software package that works with a variety of storage systems. With the addition of RHACM governance policies for Zettaset XCrypt Data Encryption Platform, it is now easier to deploy data protection automatically and at scale to many ROSA clusters managed by RHACM.
This article walks you through the deployment of XCrypt Data Encryption Platform for OpenShift and Zettaset XCrypt Centralized Management Console by using RHACM governance policies.
- RHACM version 2.6 or later
- One or more ROSA clusters version 4.10 or later
Note: This guide was created by using ROSA version 4.12 as the target environment.
Deploying XCrypt Data Encryption Platform for OpenShift
Overview of Zettaset XCrypt Data Encryption Platform governance policies
You can deploy Zettaset XCrypt Data Encryption Platform by downloading and using the following governance policies:
|RHACM policy||Policy description|
|zts-xcrypt||RHACM policy set for single command deployment.|
|policy-zts-cmc-deployment.yaml||RHACM policy for deploying Zettaset Centralized Management Console.|
Deploying Zettaset XCrypt Data Encryption Platform governance policies
After downloading the policies, run the following commands to install Zettaset XCrypt Data Encryption Platform by using a single policy set:
$ oc create -f zts-xcrypt/policy/policy-zts-xcrypt-secrets.yaml
$ oc apply -f zts-xcrypt/policy/policy-zts-ceph-conf-secret.yaml
$ oc create -f zts-xcrypt/policy/policy-zts-xcrypt-version-ceph.yaml
Starting your Zettaset XCrypt Data Encryption Platform deployment
The easiest way to start the deployment is to change the remediation of Zettaset XCrypt Data Encryption Platform governance policies in RHACM to
enforce, from the default
inform remediation by using the RHACM console. Once the policies are deployed, they appear in the console. See the following image that shows deployed policies in the console:
Confirm that you want to start enforcing the Zettaset XCrypt Data Encryption Platform policies.
Until all Zettaset XCrypt Data Encryption Platform policies are enforced, RHACM shows one or more policy violations. This is normal and indicates that the managed cluster is not yet fully protected. Continue by changing remediation actions for the Zettaset XCrypt Data Encryption Platform policies from
enforce. Confirm that you want to start enforcing the Zettaset XCrypt Data Encryption Platform policies.
You can now connect to the managed cluster and monitor the progress of the Zettaset XCrypt Data Encryption Platform deployment by running the following command:
$ oc get pods -n zts-xcrypt
After a few seconds, the policy states change to
enforce (no violations) and the Zettaset XCrypt Data Encryption Platform pods start running. The typical deployment time of Zettaset XCrypt Data Encryption Platform to a managed cluster is less than three minutes. Once the deployment is complete, all pods are operational and show a
If you are installing Zettaset XCrypt Data Encryption Platform on ROSA by using the single policy set, you get the following confirmation message in the console:
Zettaset Xcrypt product is deployed using an Operator Deployment on an OpenShift cluster. This policy set is focused on the components that install on every managed cluster.
Using Zettaset XCrypt Data Encryption Platform to encrypt persistent volumes
Once the Zettaset XCrypt Data Encryption Platform deployment is complete, you can protect your persistent volumes by using the Zettaset XCrypt storage class when requesting persistent volumes. See the following example:
You can reference the persistent volume claim when requesting storage for an application pod. See the following example, which creates an encrypted PVC and attaches it to the
- name: mariadb
- containerPort: 3306
- name: MARIADB_ROOT_PASSWORD
- name: existingvolumename
- name: existingvolumename
Once deployed, you can view the
mariadb application in the console, which now shows that it is using the volume claim protected by Zettaset XCrypt Data Encryption Platform.
The complete example for this test is available in the mahesh-zetta/rhacm-demo repository.
Accessing Zettaset XCrypt Centralized Management Console
The Zettaset XCrypt Centralized Management Console allows you to manage and monitor data protection in all your OpenShift clusters. By using the Zettaset XCrypt Centralized Management Console, you can also selectively revoke data protection keys for persistent volumes. This allows for a granular and targeted response to an attack, as well as for secure decommissioning of individual persistent volumes or entire worker nodes.
The following diagram shows the control flow when you make a key revocation request from the Zettaset XCrypt Centralized Management Console:
Once the RHACM XCrypt Centralized Management Console application is deployed, you can access the Zettaset XCrypt Centralized Management Console by clicking on Launch Route URL link in
zts-cmc application. You can manage the data protection key used to encrypt the
mariadb persistent volume in the Zettaset XCrypt Centralized Management Console.
In addition to managing data protection keys, the Zettaset XCrypt Centralized Management Console continuously monitors data protection key activity and can alert you of any out-of-policy events. With a flexible policy definition, you can create policies that detect unauthorized and malicious activity in your OpenShift clusters. You can view policy violations in the Zettaset XCrypt Centralized Management Console or command line.
With increased adoption of microservices architecture in public cloud and at the edge, a granular approach to data protection is one of the best ways to enhance security of sensitive information. As modern applications are implemented and deployed in Red Hat OpenShift, Zettaset XCrypt product suite provides granular, scalable, and transparent data protection for any storage system and enables continuous monitoring of data protection key activity. This creates an environment that not only provides the level of performance and velocity modern enterprises require, but also better resilience to breaches, with faster detection and less intrusive response and recovery.