Managing Kubernetes Storage Groups
On the Enrollment Configuration page of the CipherTrust Manager GUI, use the Persistent Volume tab to create, view, edit, or delete Kubernetes (K8s) storage groups.
Note
The terms storage group, CSI storage group, Kubernetes storage group, and K8s storage group refer to the same resource and can be used interchangeably.
Creating Kubernetes Storage Groups
Note
All the K8s clients that you want to attach to a storage group must have the same K8s Namespace and K8s StorageClass.
To create a storage group:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration. The Persistent Volume tab of the Enrollment Configuration page appears.
-
Click Create K8s Storage Group. The General Info tab of the Create K8s Storage Group wizard appears.
-
Specify a unique Name for the group.
-
Enter the K8s Namespace.
-
Enter the K8s StorageClass.
-
(Optional) Provide a Description for the storage group.
-
Click Next. The Review screen is displayed.
-
Review the provided details. The Review screen displays general information about the storage group you specified. If the details are incorrect or you want to modify them, click Back and update the details.
-
Click Save.
The newly created storage group appears in the K8s Storage Groups list.
You can change the client profile linked to the storage group later. Refer to Changing the Client Profile for details.
Viewing Details of Kubernetes Storage Groups
To view the details K8s storage groups:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration. A list of K8s storage groups appears, showing the following details:
The Persistent Volume tab of the Enrollment Configuration page also provides options to view the client profile and K8s clients linked to the storage groups. To view these details, select the expand icon 
next to the desired storage group.
The K8s clients attached to a storage group are also visible on the Membership tab of the storage group. Refer to Viewing Attached K8s Clients for details.
Changing the Client Profile
To change the linked client profile:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration.
-
Click the expand icon
corresponding to the desired storage group.Alternatively, click the Name link corresponding to the desired storage group.
-
Next to Client Profile, click the profile link (for example,
DefaultClientProfile). The Select Profile dialog box shows the current client profile and Rekey Option, Rekey Rate, and Schedule of the selected profile. -
From the Profile drop-down list, select the desired profile.
-
Click OK. The selected profile is linked successfully.
Updating Description of a Kubernetes Storage Group
To add or edit the description of a K8s storage group:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration. A list of K8s storage groups appears.
-
Click the overflow icon (
) corresponding to the desired K8s storage group. -
Click Edit.
-
Add or update the Description field.
-
Click Update.
The storage group description is updated.
Viewing GuardPolicies Applied to a Storage Group
To view GuardPolicies applied to a storage group:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration. A list of K8s storage groups appears
-
Under Name, click the desired storage group. The GuardPolicies tab shows the following details:
Column Description Policy Name Name of the applied policy. Type Type of the GuardPolicy - csi_manual. Enabled Whether the GuardPolicy is enabled - Yes or No.
To remove/disable a GuardPolicy, click the overflow icon () corresponding to the GuardPolicy and click Remove/Disable.
Note
If a GuardPolicy is active on a K8s client, the policy cannot be removed or disabled from the storage group associated with that client.
Viewing Attached Kubernetes Clients
The Membership tab of a storage group displays the attached K8s clients.
To view the K8s clients attached to a storage group:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration. A list of K8s storage groups appears
-
Under Name, click the desired storage group.
-
Click the Membership tab. The tab displays the K8s clients attached to the storage group. The following details are displayed:
Column Description Status Health status of the K8s client. Name Name of the K8s client. The name is a combination of:
• The node on which the K8s client is running
• The linked StorageClass
• The namespace where the K8s client pod runs
• A random string.Type Persistent Volume will be the client type. Description Description of the K8s client.
Deleting a Kubernetes Storage Group
A storage group can only be deleted if no K8s clients are attached to it. As K8s clients are automatically attached to a storage group, they cannot be detached explicitly. K8s clients are detached from the linked storage groups only when the clients crash.
When a storage group is deleted, any attached GuardPolicies are removed automatically.
To delete a K8s storage group:
-
Open the Transparent Encryption application.
-
In the left pane, select Kubernetes (K8s) > Enrollment Configuration. A list of K8s storage groups appears
-
Click the overflow icon (
) corresponding to the K8s storage group you want to delete. -
Click Delete. A dialog box appears prompting to confirm the action.
-
Click Delete.
The K8s storage group is deleted.
