Elastic Container Instance allows you to encrypt the temporary storage space of an elastic container instance to protect sensitive image or business data or to comply with regulations. This way, your data stays secure and intact against unauthorized access or leakage. This topic describes how to encrypt the temporary storage space of an elastic container instance.
Feature description
By default, each elastic container instance provides 30 GiB of temporary storage space to store container images that are used to launch instances and business data that is generated during instance running. You can increase the size of the storage space based on your business requirements. Elastic Container Instance allows you to encrypt the temporary storage space to protect sensitive image or business data or to comply with regulations. This way, your data stays secure and intact against unauthorized access or leakage.
If you enable the encryption feature when you create an elastic container instance, Elastic Container Instance automatically encrypts data in the temporary storage space and decrypts data when you read the data. The encryption feature uses the industry-standard AES-256 algorithm and the service keys (default keys) that are provided by Alibaba Cloud Key Management Service (KMS) to encrypt data.
Prerequisites
KMS is activated. For more information, see Purchase a dedicated KMS instance.
After you activate KMS, the system automatically creates and manages service keys. You can use the service keys free of charge.
Usage notes
The encryption method that is described in this topic does not apply to elastic container instances that are created by using manually created image caches.
Configuration description
You can add the following annotation to the metadata of an elastic container instance to encrypt the temporary storage space.
Annotation | Example | Description |
k8s.aliyun.com/eci-ephemeral-storage-options | "{\"encrypted\":\"true\"}" | The setting of |
Annotations must be added to the metadata in the configuration file of the pod. For example, when you create a Deployment, you must add annotations in the spec.template.metadata section.
To use features of Elastic Container Instance, you can add annotations only when you create Elastic Container Instance-based pods. If you add or modify annotations when you update pods, these annotations do not take effect.
Configuration example
The following sample code provides an example on how to add an annotation to encrypt the temporary storage space of an elastic container instance for a Deployment. In this example, data in the temporary storage space is automatically encrypted and decrypted when the data is read.
apiVersion: apps/v1
kind: Deployment
metadata:
name: kms-test
labels:
app: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
name: kms-test
labels:
app: test
alibabacloud.com/eci: "true"
annotations:
k8s.aliyun.com/eci-ephemeral-storage-options: "{\"encrypted\":\"true\"}" # Encrypt the temporary storage space.
spec:
containers:
- name: test
image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.4.2