Mounting encrypted disks on Talos
The snippet can be accessed without any authentication.
Authored by
Sheogorath
This Pod is a PoC to mount additional LUKS encrypted disks in Talos without bothering by modifying the existing source code.
It assumes you have this system extension installed https://github.com/siderolabs/extensions/tree/main/tools/util-linux (and potentially some others).
Tested with the following extensions enabled:
customization:
systemExtensions:
officialExtensions:
- siderolabs/amd-ucode
- siderolabs/amdgpu-firmware
- siderolabs/binfmt-misc
- siderolabs/gvisor
- siderolabs/iscsi-tools
- siderolabs/realtek-firmware
- siderolabs/thunderbolt
- siderolabs/util-linux-tools
- siderolabs/v4l-uvc-driversHow to use?
Create a secret with your LUKS password
use kubectl create -f cryptsetup.yaml in the same namespace where you created your secret. Make sure the namespace is considered privileged.
cryptsetup.yaml 1.20 KiB
apiVersion: v1
kind: Pod
metadata:
generateName: cryptsetup-
spec:
containers:
- command:
- bash
- -c
args:
- |
echo $LUKS_PASSWORD | chroot /host /usr/sbin/cryptsetup luksOpen /dev/sda storage -
chroot /host/ /sbin/vgscan --mknodes
chroot /host/ /sbin/vgchange -a y
mkdir /host/var/lib/storage
mount /host/dev/storage/longhorn /host/var/lib/storage
image: quay.io/fedora/fedora:40
imagePullPolicy: IfNotPresent
name: debugger
resources: {}
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
env:
- name: LUKS_PASSWORD
valueFrom:
secretKeyRef:
name: cryptsetup
key: LUKS_PASSWORD
tty: true
volumeMounts:
- mountPath: /host
name: host-root
mountPropagation: Bidirectional
securityContext:
privileged: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostIPC: true
hostNetwork: true
hostPID: true
nodeName: node01.k8s01.example.com
restartPolicy: Never
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /
type: ""
name: host-root
Please register or sign in to comment