Skip to main content

Persistent Volume encryption at rest and daily snapshots

This guide will give you an overview of how to set up encryption at rest for “Persistent Volumes (PVs)” and take daily snapshots to back up a PV.

Encrypting Persistent Volumes

To enable encryption at rest on a PV set the storageClassName attribute of your PersistentVolumeClaim to gp2-expand. This Storage Class sets encrypted: "true" on the underlying EBS volume.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: myclaim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: gp2-expand
  selector:
    matchLabels:
      release: "stable"
    matchExpressions:
      - {key: environment, operator: In, values: [dev]}

In the above PVC example, the cluster will dynamically provision a Persistent Volume for the PVC, using the gp2-expand AWS EBS Storage Class, which will cause the PV to be encrypted using the AWS Key Management Service (KMS).

Snapshots to back up Persistent Volumes

You can take snapshots to back up Persistent Volumes using the snapshot lifecycle policy.

The example snapshot lifecycle policy below will create a snapshot of all tagged volumes every 24 hours starting at 05:00 UTC. As per the retain_rule, a maximum of 30 snapshots of the target volume will be retained.

Using the example below create a “Data Lifecycle Management (DLM)” file called dlm.tf in your namespaces resources folder in the environments repo. Amend the tags_to_add and replace <pvc-name> with the name of your PersistentVolumeClaim.

Amazon Data Lifecycle Manager uses target_tags to identify the EBS volumes to back up, so please make sure you update the target_tags with the right PVC name.

resource "aws_dlm_lifecycle_policy" "persistentvolume_backup" {
  description        = "PersistentVolume lifecycle policy for <pvc-name>"
  execution_role_arn = "arn:aws:iam::754256621582:role/dlm-lifecycle-role"
  state              = "ENABLED"

  policy_details {
    resource_types = ["VOLUME"]

    schedule {
      name = "Daily 30 days persistentvolume snapshots for <pvc-name>"

      create_rule {
        interval      = 24
        interval_unit = "HOURS"
        times         = ["05:00"]
      }

      retain_rule {
        count = 30
      }

      tags_to_add = {
        SnapshotCreator  = "DLM"
        application      = "test-application"
        environment-name = "testenvname"
        namespace        = "my-namespace"
        team_name        = "example-repo"
        business-unit    = "example-bu"
        application      = "exampleapp"
        is-production    = "false"
      }

      copy_tags = true
    }

    target_tags = {
      "kubernetes.io/created-for/pvc/name" = "<pvc-name>"
    }
  }
}


resource "kubernetes_secret" "persistentvolume_backup_sec" {
  metadata {
    name      = "persistentvolume-backup-output"
    namespace = "namespace-name"
  }

  data = {
    persistentvolume_backup_id = aws_dlm_lifecycle_policy.persistentvolume_backup.id
  }
}

Restoring a Persistent Volume from a snapshot

If you want to restore a PV from a snapshot, speak to the cloud-platform team in the #ask-cloud-platform channel.

This page was last reviewed on 14 November 2022. It needs to be reviewed again on 14 February 2023 .
This page was set to be reviewed before 14 February 2023. This might mean the content is out of date.