Add PV support for Azure Disk Encryption

[andyzhangx]

Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature

Feature Description:

1. Azure Disk Encryption feature is only for managed disk.
2. Add parameters in azure disk storage class when kind is Managed

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: managed-standard
provisioner: kubernetes.io/azure-disk
parameters:
  skuname: Standard_LRS
  kind: Managed
  secretVault: "/subscriptions/my-sub/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-kv"
  secretURL: "https://KEYVAULT-NAME.vault.azure.net/secrets/SECRET-NAME/SECRET-VERSION"
  kekVault: "/subscriptions/my-sub/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-kv"
  kekURL: "https://KEYVAULT-NAME.vault.azure.net/keys/KEK-NAME/KEK-VERSION"

Note:

1. Azure Disk Encryption requires that your key vault and VMs reside in the same Azure region and subscription.
2. kekVault and kekURL are optional, which is used to do Key Encryption
   3 . If kekURL is provided and kekVault is empty, then kekVault will be the same keyvault with secretVault

@jdumars @khenidak

Anything else we need to know?:
Azure/acs-engine#747

Environment:

• Kubernetes version (use kubectl version): v1.10
• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release):
• Kernel (e.g. uname -a):
• Install tools:
• Others:

/sig azure
/assign

[andyzhangx]

@jdumars @khenidak After my investigation, I don't think there is k8s upstream work for this feature.
If you have already enabled azure disk encryption on VM, the attached empty disk would be encrypted using the same key vault by default, here are the detailed steps:
https://github.com/andyzhangx/Demo/blob/master/windows/azuredisk/disk-encryption
There should be work in acs-engine to create a k8s cluster with azure disk encryption enabled in the beginning.

[prashantchari]

@andyzhangx Andy, Do you happen to have a timeline for this feature ? Would it be available for GA ?

[andyzhangx]

@prashantchari this is no upstream work for this feature.
Paste info from
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disks-and-encryption

Managed Disks and Encryption
There are two kinds of encryption to discuss in reference to managed disks. The first one is Storage Service Encryption (SSE), which is performed by the storage service. The second one is Azure Disk Encryption, which you can enable on the OS and data disks for your VMs.
Storage Service Encryption (SSE)

Azure Storage Service Encryption provides encryption-at-rest and safeguard your data to meet your organizational security and compliance commitments. SSE is enabled by default for all Managed Disks, Snapshots and Images in all the regions where managed disks is available. Starting June 10th, 2017, all new managed disks/snapshots/images and new data written to existing managed disks are automatically encrypted-at-rest with keys managed by Microsoft. Visit the Managed Disks FAQ page for more details.
Azure Disk Encryption (ADE)

Azure Disk Encryption allows you to encrypt the OS and Data disks used by an IaaS Virtual Machine. This includes managed disks. For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. For Linux, the disks are encrypted using the DM-Crypt technology. This is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys. For more information, please see Azure Disk Encryption for Windows and Linux IaaS VMs.

Let me know if you have any question, I will close this issue if there is no concern.

[prashantchari]

Hey @andyzhangx , For my scenario, I'm using https://docs.microsoft.com/en-us/azure/aks/azure-disks-dynamic-pv in combination with stateful sets to store user data on external disks. Can you elaborate on how I can enable azure disk encryption on those disks using custom keys from my key vault ?

I saw your example, but that requires me to setup encryption using the az commands on the VMs in the resource group - is that the recommended approach ?

[andyzhangx]

@prashantchari I see your scenario is "Azure Disk Encryption", here is the detailed doc:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption#disk-encryption-deployment-scenarios-and-user-experiences

While according to my use expericence on Ubuntu VM, the encryption process will fail sometimes, it's not stable. You may try it in testing env first.

Anyway, it's not related to k8s upstream work.

[andyzhangx]

close this issue since there is no work in k8s upstream