mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
82 lines
3.0 KiB
Plaintext
82 lines
3.0 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="zero-trust-manager-spire-csidriver-config_{context}"]
|
|
= Deploying the SPIFFE Container Storage Interface driver
|
|
|
|
[role="_abstract"]
|
|
Configure the Container Storage Interface (CSI) driver using the `SpiffeCSIDriver` CR. This configuration mounts SPIFFE sockets directly into workload pods, which allows your applications to access the SPIFFE Workload API securely.
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
* You have installed {zero-trust-full} in the cluster.
|
|
|
|
.Procedure
|
|
|
|
. Create the `SpiffeCSIDriver` CR:
|
|
|
|
.. Create a YAML file that defines the `SpiffeCSIDriver` CR object, for example, `SpiffeCSIDriver.yaml`:
|
|
+
|
|
.Example `SpiffeCSIDriver.yaml`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpiffeCSIDriver
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
agentSocketPath: "/run/spire/agent-sockets"
|
|
pluginName: "csi.spiffe.io"
|
|
----
|
|
where:
|
|
|
|
name:: Specifies that the name must be 'cluster'.
|
|
|
|
agentSocketPath:: Specifies the path to the directory containing the SPIRE agent's Workload API socket. This directory is bind-mounted into workload containers by the CSI driver. The directory is shared between the SPIRE agent and CSI driver via a `hostPath` volume. Must be an absolute path with a maximum length of 256 characters. This value must match `SpireAgent.spec.socketPath` for workloads to access the socket.
|
|
|
|
pluginName:: Specifies the name of the CSI plugin. This sets the CSI driver name that is deployed to the cluster and used in `VolumeMount` configurations. Must match the driver name referenced in the workload pods. Must be a valid domain name format (for example, `csi.spiffe.io`) with a maximum length of 127 characters.
|
|
|
|
.. Apply the configuration by running the following command:
|
|
+
|
|
[source, terminal]
|
|
----
|
|
$ oc apply -f SpiffeCSIDriver.yaml
|
|
----
|
|
|
|
.Verification
|
|
|
|
* Verify that the daemon set of the SPIFFE CSI driver is ready and available by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get daemonset -l app.kubernetes.io/name=spiffe-csi-driver -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
|
|
spire-spiffe-csi-driver 3 3 3 3 3 <none> 114s
|
|
----
|
|
|
|
* Verify that the status of SPIFFE Container Storage Interface (CSI) Driver pods is `Running` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get po -l app.kubernetes.io/name=spiffe-csi-driver -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
spire-spiffe-csi-driver-gpwcp 2/2 Running 0 2m37s
|
|
spire-spiffe-csi-driver-rrbrd 2/2 Running 0 2m37s
|
|
spire-spiffe-csi-driver-w6s6q 2/2 Running 0 2m37s
|
|
----
|