This blog was written in collaboration with Maksim Yankovskiy, CTO and vice president of engineering at Zettaset.

Accelerated by digital transformation and emphasized by an increasing number of data breaches, data protection is one of the top issues for enterprises. The need for data protection extends beyond those within compliance regulations. At the same time, legacy approaches to data protection, such as infrastructure or storage system-based encryption, does not satisfy the basic requirements of modern microservices environments: granularity, transparency, and performance.

Red Hat OpenShift Service on AWS (ROSA) provides a turn-key managed Red Hat OpenShift Container Platform service running natively on Amazon Web Services.

Red Hat Advanced Cluster Management for Kubernetes (RHACM) allows organizations to manage, scale, and extend large Red Hat OpenShift deployments for a consistent experience across on-premises, hybrid cloud, public cloud, and multicloud deployments.

Zettaset XCrypt Data Encryption Platform is a native Kubernetes and Red Hat OpenShift data protection solution that provides automated deployment, granular encryption, along with centralized management and monitoring in a software package that works with a variety of storage systems. With the addition of RHACM governance policies for Zettaset XCrypt Data Encryption Platform, it is now easier to deploy data protection automatically and at scale to many ROSA clusters managed by RHACM.

This article walks you through the deployment of XCrypt Data Encryption Platform for OpenShift and Zettaset XCrypt Centralized Management Console by using RHACM governance policies.

Prerequisites

  • RHACM version 2.6 or later
  • One or more ROSA clusters version 4.10 or later

Note: This guide was created by using ROSA version 4.12 as the target environment.

Deploying XCrypt Data Encryption Platform for OpenShift

Overview of Zettaset XCrypt Data Encryption Platform governance policies

You can deploy Zettaset XCrypt Data Encryption Platform by downloading and using the following governance policies:

RHACM policy Policy description
zts-xcrypt RHACM policy set for single command deployment.
policy-zts-cmc-deployment.yaml RHACM policy for deploying Zettaset Centralized Management Console.

Deploying Zettaset XCrypt Data Encryption Platform governance policies

After downloading the policies, run the following commands to install Zettaset XCrypt Data Encryption Platform by using a single policy set:

$ oc create -f zts-xcrypt/policy/policy-zts-xcrypt-secrets.yaml
$ oc apply -f zts-xcrypt/policy/policy-zts-ceph-conf-secret.yaml
$ oc create -f zts-xcrypt/policy/policy-zts-xcrypt-version-ceph.yaml

Starting your Zettaset XCrypt Data Encryption Platform deployment

The easiest way to start the deployment is to change the remediation of Zettaset XCrypt Data Encryption Platform governance policies in RHACM to enforce, from the default inform remediation by using the RHACM console. Once the policies are deployed, they appear in the console. See the following image that shows deployed policies in the console:

001_XCryptPoliciesInGovernanceUI

Confirm that you want to start enforcing the Zettaset XCrypt Data Encryption Platform policies.

Until all Zettaset XCrypt Data Encryption Platform policies are enforced, RHACM shows one or more policy violations. This is normal and indicates that the managed cluster is not yet fully protected. Continue by changing remediation actions for the Zettaset XCrypt Data Encryption Platform policies from inform to enforce. Confirm that you want to start enforcing the Zettaset XCrypt Data Encryption Platform policies.

You can now connect to the managed cluster and monitor the progress of the Zettaset XCrypt Data Encryption Platform deployment by running the following command:

$ oc get pods -n zts-xcrypt

After a few seconds, the policy states change to enforce (no violations) and the Zettaset XCrypt Data Encryption Platform pods start running. The typical deployment time of Zettaset XCrypt Data Encryption Platform to a managed cluster is less than three minutes. Once the deployment is complete, all pods are operational and show a Running status.

If you are installing Zettaset XCrypt Data Encryption Platform on ROSA by using the single policy set, you get the following confirmation message in the console:

Zettaset Xcrypt product is deployed using an Operator Deployment on an OpenShift cluster. This policy set is focused on the components that install on every managed cluster.

Using Zettaset XCrypt Data Encryption Platform to encrypt persistent volumes

Once the Zettaset XCrypt Data Encryption Platform deployment is complete, you can protect your persistent volumes by using the Zettaset XCrypt storage class when requesting persistent volumes. See the following example:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zts-claim1
namespace: zts-xcrypt
spec:
accessModes:
- ReadWriteOnce
storageClassName: zts-sc
resources:
requests:
storage: 100Mi

You can reference the persistent volume claim when requesting storage for an application pod. See the following example, which creates an encrypted PVC and attaches it to the mariadb deployment:

containers:
- name: mariadb
image: bitnami/mariadb:latest
ports:
- containerPort: 3306
name: db-port
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb
key: MYSQL_ROOT_PASSWORD
volumeMounts:
- name: existingvolumename
mountPath: "/mnt/data"
volumes:
- name: existingvolumename
persistentVolumeClaim:
claimName: zts-claim1

Once deployed, you can view the mariadb application in the console, which now shows that it is using the volume claim protected by Zettaset XCrypt Data Encryption Platform.

The complete example for this test is available in the mahesh-zetta/rhacm-demo repository.

036_mariadb

Accessing Zettaset XCrypt Centralized Management Console

The Zettaset XCrypt Centralized Management Console allows you to manage and monitor data protection in all your OpenShift clusters. By using the Zettaset XCrypt Centralized Management Console, you can also selectively revoke data protection keys for persistent volumes. This allows for a granular and targeted response to an attack, as well as for secure decommissioning of individual persistent volumes or entire worker nodes.

The following diagram shows the control flow when you make a key revocation request from the Zettaset XCrypt Centralized Management Console:

041_worfklow

Once the RHACM XCrypt Centralized Management Console application is deployed, you can access the Zettaset XCrypt Centralized Management Console by clicking on Launch Route URL link in zts-cmc application. You can manage the data protection key used to encrypt the mariadb persistent volume in the Zettaset XCrypt Centralized Management Console.

In addition to managing data protection keys, the Zettaset XCrypt Centralized Management Console continuously monitors data protection key activity and can alert you of any out-of-policy events. With a flexible policy definition, you can create policies that detect unauthorized and malicious activity in your OpenShift clusters. You can view policy violations in the Zettaset XCrypt Centralized Management Console or command line.

051_cmc

Conclusion

With increased adoption of microservices architecture in public cloud and at the edge, a granular approach to data protection is one of the best ways to enhance security of sensitive information. As modern applications are implemented and deployed in Red Hat OpenShift, Zettaset XCrypt product suite provides granular, scalable, and transparent data protection for any storage system and enables continuous monitoring of data protection key activity. This creates an environment that not only provides the level of performance and velocity modern enterprises require, but also better resilience to breaches, with faster detection and less intrusive response and recovery.