-
Feature
-
Resolution: Done
-
Major
-
None
-
Strategic Product Work
-
False
-
-
False
-
OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
-
0% To Do, 0% In Progress, 100% Done
-
0
Feature Overview
- This feature tracks the productization of VMWare VMcrypt in OCP
- The VMCrypt features allows OCP VMs deployed on top of vSphere to be encrypted with keys managed by a KMS.
- An additional benefit to this feature is the ability to encrypt OCP PVs provisioned through vSphere CSI driver.
- This feature is important to customer that are under strict security regulations. This allows traffic between the hypervisor and the storage backend to be encrypted.
- Official VMWare documentation
Goals
- Support OCP to be deployed on top of vSphere as encrypted VMs
- Support provisioning encrypted PVs through a special custom storage class that reference the storage policy
- Support for vSphere 7.0.2 and later only (no 6.7 as it is now deprecated)
- UPI only as the installer does not support to set custom storage policy
- IPI support would require a separate RFE.
- Define support coverage / limitations / known issue if any
Requirements
Requirement | Notes | isMvp? |
---|---|---|
CI SPLAT - MUST be running successfully with test automation | Regression tests with VM encryption | YES |
CI STOR - MUST be running successfully with test automation | CSI Regression tests with encrypted storage class | YES |
(Optional) Use Cases
This Section:
- As an OCP admin / security admin I want to deploy OCP on top of vSphere encrypted VMs in order to comply with my corporate security policies.
- As an OCP admin I want OCP user provisioned persistent storage (PVs) to be encrypted in order to comply with my corporate security policies.
Questions to answer…
- Understand support coverage & limitations from VMware for example what KMS are supported.
Out of Scope
- vSphere 6.x
- IPI
- Development, the feature is already implemented
Background, and strategic fit
This feature is strategic for all customers that are under strict security regulations where all traffic needs to be encrypted. This allows to enable encryption for both the VM and user provisioned storage (PVs).
Assumptions
- UPI
- vSphere admin pre configure KMS
- vSphere admin pre configure vsphere
- vSphere admin pre-create VMs with the right storage policy
- OCP admin creates the encrypted storage class
Documentation Considerations
Questions to be addressed:
- Need to document the feature and limitations as well as any specific requirements (KMS, vsphere version, UPI, etc).
- Configuration of vSphere pre-requisits are not in the scope of the feature although we should mention them and redirect customers to the vSphere documentation.
- is blocked by
-
CORS-2339 OpenShift using encrypted vSphere VMs (UPI)
- Closed