Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add possibility for nfs tls mounts / xprtsec=mtls #843

Open
eingemaischt opened this issue Jan 14, 2025 · 2 comments
Open

add possibility for nfs tls mounts / xprtsec=mtls #843

eingemaischt opened this issue Jan 14, 2025 · 2 comments

Comments

@eingemaischt
Copy link

We are using TLS for our nfs mounts - this is relatively easy and enables stream encryption and certificate authentication between nfs client and server.

An example for a configuration for linux clients and server can be find here:
https://forums.gentoo.org/viewtopic-p-8843922.html

Is it possible to make xprtsec usable with csi-driver-nfs for StorageClasses, too?

It would really help a lot and secure our connections (currently we are using a wireguard...)
@andyzhangx
Copy link
Member

seems it's related to config on the node? how is this related to csi driver?

@eingemaischt
Copy link
Author

For nfs over tls a newer kernel and a daemon for handling tls offload to the kernel is needed ( ktls-utils ). https://wiki.archlinux.org/title/NFS#TLS_encryption

Or can csi driver communicate with the ktls-config on the node? That would be neat because then certificate configuration and CA-checking would be done on the node. Maybe it is only needed to mount a socket to the container?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eingemaischt @andyzhangx