Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-322

vSphere VMcrypt support (UPI)

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
    • 100
    • 100% 100%
    • 0
    • 0

      Feature Overview

      • This feature tracks the productization of VMWare VMcrypt in OCP
      • The VMCrypt features allows OCP VMs deployed on top of vSphere to be encrypted with keys managed by a KMS.
      • An additional benefit to this feature is the ability to encrypt OCP PVs provisioned through vSphere CSI driver.
      • This feature is important to customer that are under strict security regulations. This allows traffic between the hypervisor and the storage backend to be encrypted.
      • Official VMWare documentation

      Goals

      • Support OCP to be deployed on top of vSphere as encrypted VMs
      • Support provisioning encrypted PVs through a special custom storage class that reference the storage policy
      • Support for vSphere 7.0.2 and later only (no 6.7 as it is now deprecated)
      • UPI only as the installer does not support to set custom storage policy
        • IPI support would require a separate RFE.
      • Define support coverage / limitations / known issue if any

      Requirements

       

      Requirement Notes isMvp?
      CI SPLAT - MUST be running successfully with test automation Regression tests with VM encryption YES
      CI STOR - MUST be running successfully with test automation CSI Regression tests with encrypted storage class YES

      (Optional) Use Cases

      This Section:

      • As an OCP admin / security admin I want to deploy OCP on top of vSphere encrypted VMs in order to comply with my corporate security policies.
      • As an OCP admin I want OCP user provisioned persistent storage (PVs) to be encrypted in order to comply with my corporate security policies.

      Questions to answer…

      • Understand support coverage & limitations from VMware for example what KMS are supported.

      Out of Scope

      • vSphere 6.x
      • IPI
      • Development, the feature is already implemented

      Background, and strategic fit

      This feature is strategic for all customers that are under strict security regulations where all traffic needs to be encrypted. This allows to enable encryption for both the VM and user provisioned storage (PVs).

      Assumptions

      • UPI
      • vSphere admin pre configure KMS
      • vSphere admin pre configure vsphere
      • vSphere admin pre-create VMs with the right storage policy
      • OCP admin creates the encrypted storage class

      Documentation Considerations

      Questions to be addressed:

      • Need to document the feature and limitations as well as any specific requirements (KMS, vsphere version, UPI, etc).
      • Configuration of vSphere pre-requisits are not in the scope of the feature although we should mention them and redirect customers to the vSphere documentation.

            racedoro@redhat.com Ramon Acedo
            rh-gs-gcharot Gregory Charot
            Gregory Charot, Hemant Kumar, Ju Lim, Ramon Acedo, Shang Gao
            Hemant Kumar Hemant Kumar
            Shang Gao Shang Gao
            Stephanie Stout Stephanie Stout
            Senthamilarasu S Senthamilarasu S
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: