Securing Persistent Storage
Securing Persistent Storage
Stateful applications in orchestrated environments require persistent storage with appropriate security controls. Storage drivers may not encrypt data by default. Access controls must prevent unauthorized volume access. Backup procedures need security consideration. Multi-tenancy introduces additional isolation requirements between different teams' storage.
Volume security starts with encryption at rest. Storage class configurations should enforce encryption for all persistent volumes. Access controls must restrict volume mounting to authorized pods. Storage quotas prevent resource exhaustion. Regular security scanning of persistent volumes identifies stored secrets or malware.
# Example: Secure StorageClass configuration
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: secure-ssd
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp3
encrypted: "true"
kmsKeyId: "arn:aws:kms:us-east-1:123456789:key/storage-key"
fsType: ext4
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
mountOptions:
- noatime
- noexec
- nosuid
---
# PodSecurityPolicy enforcing secure volume usage
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: secure-volumes
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'configMap'
- 'downwardAPI'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'projected'
- 'secret'
allowedHostPaths: []
allowedFlexVolumes: []
allowedCSIDrivers:
- name: ebs.csi.aws.com
- name: efs.csi.aws.com
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
runAsUser:
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
---
# Volume snapshot for secure backups
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: secure-snapshots
driver: ebs.csi.aws.com
deletionPolicy: Retain
parameters:
encrypted: "true"
kmsKeyId: "arn:aws:kms:us-east-1:123456789:key/snapshot-key"