Security
Use the recommendations listed here to ensure your Trident installation is secure.
Run Trident in its own namespace
It is important to prevent applications, application administrators, users, and management applications from accessing Trident object definitions or the pods to ensure reliable storage and block potential malicious activity.
To separate the other applications and users from Trident, always install Trident in its own Kubernetes namespace (trident
). Putting Trident in its own namespace assures that only the Kubernetes administrative personnel have access to the Trident pod and the artifacts (such as backend and CHAP secrets if applicable) stored in the namespaced CRD objects.
You should ensure that you allow only administrators access to the Trident namespace and thus access to the tridentctl
application.
Use CHAP authentication with ONTAP SAN backends
Trident supports CHAP-based authentication for ONTAP SAN workloads (using the ontap-san
and ontap-san-economy
drivers). NetApp recommends using bidirectional CHAP with Trident for authentication between a host and the storage backend.
For ONTAP backends that use the SAN storage drivers, Trident can set up bidirectional CHAP and manage CHAP usernames and secrets through tridentctl
.
Refer to Prepare to configure backend with ONTAP SAN drivers to understand how Trident configures CHAP on ONTAP backends.
Use CHAP authentication with NetApp HCI and SolidFire backends
NetApp recommends deploying bidirectional CHAP to ensure authentication between a host and the NetApp HCI and SolidFire backends. Trident uses a secret object that includes two CHAP passwords per tenant. When Trident is installed, it manages the CHAP secrets and stores them in a tridentvolume
CR object for the respective PV. When you create a PV, Trident uses the CHAP secrets to initiate an iSCSI session and communicate with the NetApp HCI and SolidFire system over CHAP.
The volumes that are created by Trident are not associated with any Volume Access Group. |
Use Trident with NVE and NAE
NetApp ONTAP provides data-at-rest encryption to protect sensitive data in the event a disk is stolen, returned, or repurposed. For details, refer to Configure NetApp Volume Encryption overview.
-
If NAE is enabled on the backend, any volume provisioned in Trident will be NAE-enabled.
-
If NAE is not enabled on the backend, any volume provisioned in Trident will be NVE-enabled unless you set the NVE encryption flag to
false
in the backend configuration.
Volumes created in Trident on an NAE-enabled backend must be NVE or NAE encrypted.
|
-
You can manually create an NVE volume in Trident by explicitly setting the NVE encryption flag to
true
.
For more information on backend configuration options, refer to: