This is a fork of the Azure CSI driver with added encryption features for Constellation.
This driver allows a Constellation cluster to use Azure Disk volume, csi plugin name: azuredisk.csi.confidential.cloud
Please refer to azuredisk.csi.confidential.cloud driver parameters
Use helm to deploy the driver to your cluster:
helm install azuredisk-csi-driver charts/edgeless/ --namespace kube-systemSee helm configuration for a detailed list on configuration options.
Remove the driver using helm:
helm uninstall azuredisk-csi-driver -n kube-system- Topology (Availability Zone)
- Snapshot
- Volume Cloning
- Volume Expansion
- Raw Block Volume
- Volume Limits
- fsGroupPolicy
- Workload identity
- Advanced disk performance tuning (Preview)
- Transparent disk encryption at node level
- Disk integrity protection
By default the CSI driver will transparently encrypt all disks staged on the node. Optionally, you can configure the driver to also apply integrity protection.
Please note that enabling integrity protection requires wiping the disk before use. Disk wipe speeds are largely dependent on IOPS and the performance tier of the disk. If you intend to provision large amounts of storage and Pod creation speed is important, we recommend requesting high-performance disks.
To enable integrity protection, create a storage class with an explicit file system type request and add the suffix -integrity.
The following is a storage class for integrity protected ext4 formatted disks:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: integrity-protected
provisioner: azuredisk.csi.confidential.cloud
parameters:
skuName: StandardSSD_LRS
csi.storage.k8s.io/fstype: ext4-integrity
reclaimPolicy: Delete
volumeBindingMode: ImmediatePlease note that volume expansion is not supported for integrity-protected disks.
- Please refer to Azure Disk CSI Driver Limitations
- Please refer to development guide
To build the driver container image:
driver_version=v0.0.0-test
make REGISTRY=ghcr.io/edgelesssys IMAGE_NAME=constellation/azure-csi-driver IMAGE_VERSION=${driver_version} container
docker push ghcr.io/edgelesssys/constellation/azure-csi-driver:${driver_version}This project is licensed under the AGPLv3. It's based on code licensed under the Apache 2.0 license.