对 Azure Kubernetes Service (AKS) 中的 Azure 磁盘使用自带密钥 (BYOK)Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service (AKS)

Azure 存储对静态存储帐户中的所有数据进行加密。Azure Storage encrypts all data in a storage account at rest. 默认情况下,数据使用 Azure 管理的密钥进行加密。By default, data is encrypted with Azure-managed keys. 为了更进一步控制加密密钥,可以提供客户托管密钥,将其用于对 AKS 群集的 OS 和数据磁盘进行静态加密。For additional control over encryption keys, you can supply customer-managed keys to use for encryption at rest for both the OS and data disks for your AKS clusters. 详细了解 LinuxWindows 上的客户管理密钥。Learn more about customer-managed keys on Linux and Windows.

限制Limitations

  • 数据磁盘加密支持仅限于运行 Kubernetes 1.17 及更高版本的 AKS 群集。Data disk encryption support is limited to AKS clusters running Kubernetes version 1.17 and above.
  • 只有在创建 AKS 群集时才能启用使用客户管理的密钥对 OS 和数据磁盘进行加密。Encryption of OS and data disk with customer-managed keys can only be enabled when creating an AKS cluster.

先决条件Prerequisites

  • 使用密钥保管库加密托管磁盘时,必须为 Azure 密钥保管库 启用软删除和清除保护。You must enable soft delete and purge protection for Azure Key Vault when using Key Vault to encrypt managed disks.
  • 需要 Azure CLI 版本 2.11.1 或更高版本。You need the Azure CLI version 2.11.1 or later.

创建 Azure Key Vault 实例Create an Azure Key Vault instance

使用 Azure Key Vault 实例来存储密钥。Use an Azure Key Vault instance to store your keys. 可以通过 Azure 门户使用 Azure Key Vault 配置客户管理的密钥You can optionally use the Azure portal to Configure customer-managed keys with Azure Key Vault

创建一个新的 资源组,然后创建一个新的 密钥保管库 实例,并启用软删除和清除保护。Create a new resource group, then create a new Key Vault instance and enable soft delete and purge protection. 确保对每个命令使用同一区域和资源组名称。Ensure you use the same region and resource group names for each command.

# Optionally retrieve Azure region short names for use on upcoming commands
az account list-locations
# Create new resource group in a supported Azure region
az group create -l myAzureRegionName -n myResourceGroup

# Create an Azure Key Vault resource in a supported Azure region
az keyvault create -n myKeyVaultName -g myResourceGroup -l myAzureRegionName  --enable-purge-protection true --enable-soft-delete true

创建 DiskEncryptionSet 的实例Create an instance of a DiskEncryptionSet

myKeyVaultName 替换为你的密钥保管库的名称。Replace myKeyVaultName with the name of your key vault. 若要完成以下步骤,还需一个存储在 Azure Key Vault 中的“密钥”。You will also need a key stored in Azure Key Vault to complete the following steps. 可以将现有密钥存储在通过前面的步骤创建的 Key Vault 中,也可以 生成新密钥并将下面的 myKeyName 替换为你的密钥的名称。Either store your existing Key in the Key Vault you created on the previous steps, or generate a new key and replace myKeyName below with the name of your key.

# Retrieve the Key Vault Id and store it in a variable
keyVaultId=$(az keyvault show --name myKeyVaultName --query "[id]" -o tsv)

# Retrieve the Key Vault key URL and store it in a variable
keyVaultKeyUrl=$(az keyvault key show --vault-name myKeyVaultName  --name myKeyName  --query "[key.kid]" -o tsv)

# Create a DiskEncryptionSet
az disk-encryption-set create -n myDiskEncryptionSetName  -l myAzureRegionName  -g myResourceGroup --source-vault $keyVaultId --key-url $keyVaultKeyUrl 

向 DiskEncryptionSet 授予对密钥保管库的访问权限Grant the DiskEncryptionSet access to key vault

使用在前面的步骤中创建的 DiskEncryptionSet 和资源组,并授予 DiskEncryptionSet 资源对 Azure 密钥保管库的访问权限。Use the DiskEncryptionSet and resource groups you created on the prior steps, and grant the DiskEncryptionSet resource access to the Azure Key Vault.

# Retrieve the DiskEncryptionSet value and set a variable
desIdentity=$(az disk-encryption-set show -n myDiskEncryptionSetName  -g myResourceGroup --query "[identity.principalId]" -o tsv)

# Update security policy settings
az keyvault set-policy -n myKeyVaultName -g myResourceGroup --object-id $desIdentity --key-permissions wrapkey unwrapkey get

创建一个新的 AKS 群集,并对 OS 磁盘加密Create a new AKS cluster and encrypt the OS disk

创建一个 新的资源组 和 AKS 群集,然后使用密钥对 OS 磁盘进行加密。Create a new resource group and AKS cluster, then use your key to encrypt the OS disk. 只有高于 1.17 的 Kubernetes 版本才支持客户托管密钥。Customer-managed keys are only supported in Kubernetes versions greater than 1.17.

重要

确保为 AKS 群集创建新的资源组Ensure you create a new resoruce group for your AKS cluster

# Retrieve the DiskEncryptionSet value and set a variable
diskEncryptionSetId=$(az disk-encryption-set show -n mydiskEncryptionSetName -g myResourceGroup --query "[id]" -o tsv)

# Create a resource group for the AKS cluster
az group create -n myResourceGroup -l myAzureRegionName

# Create the AKS cluster
az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --kubernetes-version KUBERNETES_VERSION --generate-ssh-keys

向上面创建的群集添加新的节点池时,会使用在创建过程中提供的客户托管密钥对 OS 磁盘进行加密。When new node pools are added to the cluster created above, the customer-managed key provided during the create is used to encrypt the OS disk.

加密 AKS 群集数据磁盘(可选)Encrypt your AKS cluster data disk(optional)

如果 v1.17.2 没有为数据磁盘提供密钥,则使用 OS 磁盘加密密钥对数据磁盘进行加密,并且还可以使用其他密钥对 AKS 数据磁盘进行加密。OS disk encryption key will be used to encrypt data disk if key is not provided for data disk from v1.17.2, and you can also encrypt AKS data disks with your other keys.

重要

确保你具有正确的 AKS 凭据。Ensure you have the proper AKS credentials. 对于在其中部署了 diskencryptionset 的资源组,服务主体需要有参与者访问权限。The Service principal will need to have contributor access to the resource group where the diskencryptionset is deployed. 否则,你将收到一条错误消息,指出服务主体没有权限。Otherwise, you will get an error suggesting that the service principal does not have permissions.

# Retrieve your Azure Subscription Id from id property as shown below
az account list
someuser@Azure:~$ az account list
[
  {
    "cloudName": "AzureChinaCloud",
    "id": "666e66d8-1e43-4136-be25-f25bb5de5893",
    "isDefault": true,
    "name": "MyAzureSubscription",
    "state": "Enabled",
    "tenantId": "3ebbdf90-2069-4529-a1ab-7bdcb24df7cd",
    "user": {
      "cloudShellID": true,
      "name": "someuser@azure.com",
      "type": "user"
    }
  }
]

创建一个名为 byok-azure-disk.yaml 的文件,在其中包含以下信息。Create a file called byok-azure-disk.yaml that contains the following information. 将 myAzureSubscriptionId、myResourceGroup 和 myDiskEncrptionSetName 替换为你的值并应用 yaml。Replace myAzureSubscriptionId, myResourceGroup, and myDiskEncrptionSetName with your values, and apply the yaml. 请确保使用在其中部署了 DiskEncryptionSet 的资源组。Make sure to use the resource group where your DiskEncryptionSet is deployed.

kind: StorageClass
apiVersion: storage.k8s.io/v1  
metadata:
  name: hdd
provisioner: kubernetes.io/azure-disk
parameters:
  skuname: Standard_LRS
  kind: managed
  diskEncryptionSetID: "/subscriptions/{myAzureSubscriptionId}/resourceGroups/{myResourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{myDiskEncryptionSetName}"

接下来,在 AKS 群集中运行此部署:Next, run this deployment in your AKS cluster:

# Get credentials
az aks get-credentials --name myAksCluster --resource-group myResourceGroup --output table

# Update cluster
kubectl apply -f byok-azure-disk.yaml

后续步骤Next steps

查看 AKS 群集安全性最佳做法Review best practices for AKS cluster security