Guide on how to implement Cross-Tenant Disk Encryption with Azure Kubernetes Service

This documentation is an expansion of the article "Configure cross-tenant customer-managed keys for an existing storage account" of Microsoft. It's purpose is to explain how to allow a "Disk Encryption Set" to consume a key hosted in a KeyVault from a diferent Tenant. The disk encryption set will then be used to encrypt a Kubernetes Persistent Volume Claim.

Introduction

 

This documentation is an expansion of the article " Configure cross-tenant customer-managed keys for an existing storage account " of Microsoft. It's purpose is to explain how to allow a "Disk Encryption Set" to consume a key hosted in a KeyVault from a diferent Tenant. The disk encryption set will then be used to encrypt a Kubernetes Persistent Volume Claim.

 

Tenant of KeyVault: A

Tenant of DiskEncryptionSet: B

 

All the steps outlined in this documentation will assume that you have Owner access in both Tenants.

During the creation of the objects, unless otherwise specified, we have used the default values prompted by Azure. Feel free to adjust according to your needs.

 

Implementation

 

Step I: Create the key vault in tenant A

A) Connect to the tenant

az login --tenant A

 

B) Set the subscription:

az account set --subscription <your sub>

 

C) Create the Resource Group (feel free to adjust name and location):

az group create --name rg-for-demo-vault --location NorthEurope

 

D) Create the key vault:

az keyvault create -n rg-for-demo-vault -g rg-for-demo-vault -l NorthEurope --enable-purge-protection true

 

E) Create a key in the key vault:

Home > Resource groups > rg-for-demo-vault > rg-for-dem vaultl Keys > Create a key Options Name* CD Key type CD RSA key size Set activation date CD Set expiration date Enabled Tags Set key rotation policy Confidential Key Options Exportable CD Immutable CD Confidential operation policy Q) Generate d e ma-vault-key @ RSA @ 2048 0 3072 0 4096 O tags Not configured

 

 

Step II: Create the App registration in Microsoft Entra of tenant B

 

Make sure to check " Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) "

 

Home > Jedox Testing App registrations > Register an application Name TENANT B The user-facing display name for this application (this can be changed later). demo-vault Supported account types Who can use this application or access this API? O Accounts in this organizational directory only (Jedox Testing only Single tenant) @ Accounts in ary organizational directory (Any Microsoft Entra ID tenant - Multitenant) O Accounts in ary organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, X box) O Pesonal Microsoft accounts only Help me choose... Redirect LIRI (optional) We'll return the authentication response to this URI after successfully authenticating the user. Providing this is optional and it can be changed later, but a value is required for most authentication scenarios. Select platform

 

Retrieve the "Application (client) ID" of the "demo-vault" app. We will need it for the next step.

Home > Testing App registrations > TENANT B demo-vault Overview Quickstart Integration assistant Manage Branding & properties Authentication Delete Endpoints Essentials Display name Application (client) ID Object ID Directory (tenant) ID Supported account types Preview features demo-vault Multiple

 

 

Step III: Create a Service Principal in tenant A then assign it to the KeyVault

 

A) Create the ServicePrincipal (make sure that before you issue the command, you're still in the context of Tenant A:

 

az ad sp create --id "Application (client) ID"

 

Once you issue the command, a new service principal will be created in Tenant A. You should find it in Tenant A under the same name as you used in the creation of the AppRegistration in tenant B:

p demo-vaul Resources Marketplace (O) O rg- ult Resource Groups rg-for-demo-vault Documentati on (1) Resource Groups Documentation (99*) Azure Active Directory (I) Services (O) Key It TENANT A Quickstart - Create an Azure Key Vault with the Azure portal Manage Azure Key Vault using CLI - Azure Key Vault Tutorial - Use Azure Key Vault with an Azure web app in .NET Deploy a demo environment - Finance & Operations Dynamics 3... Tutorial to set up Azure VM disaster reccwerywith Azure Site Reco... AzureKeyVauIt@2 - Azure Key Vault v2 task Generate new Client Secret and link to key-vault Azure Active Directory demo-vault O Continue searching in Azure Active Directory Change r? r? use Azure Key Vault secrets in Azure Pipelines - Azure Pipelines r? Give

 

B) Grant the service principal rights to the key vault:

 

Home > rg-for-demo-vault TENANT A rg-for-demo-vault I Access control (IAM) Key vault Activity log Access control (AM) Tags Diagnose and solve problems Access policies Events Objects Secrets Certificates Settings Access configuration Networking Microsoft Defender for Cloud Properties Locks -+- Add Download role assignments Edit columns C_) Refresh X Remove Feedback Add role assignment Add co-administrator My access Deny assignments Classic administrators Add role assignment View my level of access to this resource. View my access Check Review the level Of access user, group, service principal, or managed identity has to this resource. Learn more t? Check access Grant access to this resource Grant access to resources by assigning a role. Learn more Add role assignment View access to this resource View the role assignments that grant access to this and other resources. Learn more View View deny assignments View the role assignments that have been denied access to specific actions at this scope. Learn more View

 

Select the role "Key Vault Crypto Service Encryption User":

Home > rg-for-demo-vault Access control (IAM) > Add role assignment TENANT A Role Members Selected role Assign access to Members Review assign Key Vault Crypto Service Encryption User @ user, group, or se ice principal O Msn-gee identity Select members Name demo-vault Optional Object ID Type App

 

C) Go to "Access Policies" of the Key Vault and create a new policy.

 

At step 1, select the right permissions for you:

 

Create an access policy Get rg-for-demo-vau It O Permissions Configure from a template Principal G) Application (optional) Key, Secret, & Certificate Management Key permissions Key Management Operations Select all L ist Update Create Import Delete Recover Backup Restore Cryptographic Operations Unwap Key Wrap Key Verify Sign Privileged Key Operations Purge Rotation Policy Operations Select all Previous Secret permissions Secret Management Operations Select all Get List Delete Reccwer Backup Restore Privileged Secret Operations Cl Select all Purge TENANT A Review + create Certificate permissions Certificate Management Operations Select all List Update Create Import Delete Reccr,'er Backup Restore Manage Contacts Manage Certificate Authorities Get Certificate Authorities List Certificate Authorities Set Certificate Authorities Delete Certificate Authorities Privileged Certificate Operations Purge

 

At step 2 add the service principal:

 

Home > Resource g uu > rg-for-demo-vault > rg-for-dem vaultl Access policies > Create an access policy rg-for-demo-vau It G) Application (optional) Permissions O Principal Only I principal can be assigned per access policy. TENANT A Review + create Use the new embedded experience to select a principal. The previous popup experience can be accessed here. Select a principal demo 4 d emo-vault

 

Rest of the points remain default. Then create the policy. In the end you should end up with:

 

rg-for-demo-vault > rg-for-dem vault Home > Resource groups > rg-for-demo-vault I Access policies TENANT A x Key vault Search Activity log Access control (IAM) Tags Diagnose and solve problems Access policies -4 C reate Refresh Del ete Ed it Access policies enable you to have fine grained control over access to vault items. Learn more Search Showing I to 2 of 2 records. Name Tv v APPLICATION demo vault Permissions : All X Type : All X Email T Key Pe rmissions Get, List, Update, Create, Import Delete, Recover, Secret Permissions Get, List, Set, Delete, Recover, Backup, Resto re Certificate Permissions Get, List, Update, Create, Import Delete, Recover,

 

 

Step IV: Create the disk encryption set in Tenant B

 

Note: For the purpose of our demo, we have created the Managed Identity and DiskEncryptionSet in the Infrastructure Resource Group of the cluster where we are going to consume the encrypted PVCs.

 

  1. Create an "User Assigned managed identity":

Create User Assigned Managed Identity TENANT B Review + create Basics Tags Project details Select the subscription to manage deployed resources and costs. use resource groups like folders to organize and manage all your resources. Subscription* O Resource group Instance details Region Name* O testing Create new North Europe managed identity-demo-vault

 

  1. Assign the Managed Identity to the App registration in Microsoft Entra of tenant B:

 

 

 

Make sure to choose the "CustomerManagedKeys" for the federated credential scenario.

Make sure to choose the correct managed identity for the "select managed identity".

 

 

  1. Create the Disk Encryption Set inside the Infrastructure Resource Group "MC" of the Cluster:

 

The key URI must be taken from the Key Vault;

The "User Assigned Identity" must be the identity you created earlier;

The "Multi-Tenant application" should be the one you created earlier;

 

 

 

Step V: Create a storage class in your Kubernetes cluster that will provision encrypted disks.

 

kind: StorageClass

apiVersion: storage.k8s.io/v1

metadata:

name: azure-byok

provisioner: disk.csi.azure.com # replace with "kubernetes.io/azure-disk" if aks version is less than 1.21

parameters:

skuname: StandardSSD_LRS

kind: managed

diskEncryptionSetID:/subscriptions/XXXXX/resourceGroups/XXXX/providers/Microsoft.Compute/diskEncryptionSets/disk-encryption-set-demo-vault

reclaimPolicy: Retain

 

Create a PVC that will consume the StorageClass

 

kind: PersistentVolumeClaim

apiVersion: v1

metadata:

name: azure-byok-pvc

spec:

accessModes:

- ReadWriteOnce

resources:

requests:

storage: 4Gi

storageClassName: azure-byok

volumeMode: Filesystem

 

 

Conclusion

 

The documentation delineates the process of establishing a cross-tenant disk encryption setup utilizing Azure Kubernetes Service (AKS). By orchestrating a Disk Encryption Set to access a key from a Key Vault in a different Tenant, and aligning it with a Kubernetes Persistent Volume Claim, a robust encryption infrastructure is realized.

 

This configuration ensures secure encryption of sensitive data housed in Persistent Volume Claims, meeting stringent security and compliance mandates. All the steps outlined in this document provide a roadmap towards deploying a secure, cross-tenant disk encryption framework within Azure, thereby significantly bolstering the security measures surrounding your Kubernetes deployments.

 

 

A minimal admission controller

Mar, 2023 Yalos Team

Writing such a controller is as simple as writing any other controller. This post helps avoiding common pitfalls on coding your first one. With working code.

read

a consulting boutique that delivers software at scale, all around the world, with continuous operation.

apply for a job