Red Hat OpenShift has released a feature called Hosted Control Planes which decouples control planes from worker nodes. This architecture allows organisations to more efficiently run a large number of OpenShift clusters and makes smaller clusters more cost effective (due to the decreased infrastructure footprint of a 'hosted' clusters control plane).
The consolidation does allow platform teams to more easily manage the infrastructure, however, does consolidate multiple control plane's worth of data into a single cluster.
This repository is a demonstration of how fine grained access control and encryption can be maintained over the control plane data within each of the hosted clusters.
Thales CipherTrust Transparent Encryption for Kubernetes together with CipherTrust Manager are being used to encrypt the etcd datastore for each hosted cluster - to maintain the security of Kubernetes secrets.
This project is currently a work in progress.
This repository is based on the multicloud-gitops validated pattern.
Today this pattern has CipherTrust Manager deployed outside of the pattern and connected up after the fact.
This setup assumes that you have both a openshift cluster and a ciphertrust manager pre-deployed and that the worker nodes of you cluster can reach the ciphertrust manager over 443
. More detailed information is in docs.
- AWS API KEY / SECRET KEY for s3 storage.
- Cred file equivalent of above at ~/.aws/credentials
- htpassword file (for local users in lieu of reconfiguring)
- A pull secret for docker.io for the CTE containers.
- A manifest file for AAP
- A user / password for ciphertrust manager
- A registration token for ciphetrust manager (hopefully automatible).