Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Enhance data security in OpenShift Data Foundation

July 15, 2025
Will Cushen
Related topics:
KubernetesSecurity
Related products:
Red Hat OpenShift Data Foundation

Share:

    In our previous article on Red Hat OpenShift Data Foundation (ODF), we demonstrated how to configure cluster-wide encryption at rest using HashiCorp Vault as the Key Management System (KMS). 

    In this installment, we will take that foundation further. We’ll explore how to enable encryption on a per-PersistentVolume (PV) basis, allowing teams to isolate their encrypted storage volumes at the namespace level. This is especially valuable in multi-tenant environments where different projects or teams require distinct encryption boundaries.

    Per-PV StorageClass encryption

    While cluster-wide encryption protects all data at rest, it's often insufficient for environments with stricter security demands, such as:

    • Multi-tenant Red Hat OpenShift clusters, where different teams or customers share infrastructure.
    • Compliance requirements that mandate different encryption keys per project, tenant, or sensitivity level.

    Prerequisites

    Before diving into per-PV (StorageClass) encryption, you should already have the following:

    • ODF installed and running on your OpenShift cluster.
    • Vault deployed and integrated with ODF for cluster-wide encryption (see our previous article).
    • A basic understanding of Kubernetes StorageClasses and PersistentVolumeClaims.

    Steps to enable StorageClass encryption

    Note:

    These steps assume you've already configured Vault with a root path and token that ODF can access. We’ll now layer additional Vault policies and keys for per-tenant isolation. 

    We will walk through these four steps:

    1. Create a new Vault role and Access Control List (ACL) for the tenant.

    2. Create an overriding ConfigMap in the tenant namespace.

    3. Create the tenant service account and assign permissions.

    4. Create PersistentVolumeClaims (PVCs) in the tenant namespace using the new StorageClass.

    The installation process remains largely the same as previously. However, when you reach the Security and network step in the ODF installation wizard, make sure to enable StorageClass encryption (Figure 1).

    Figure 1: ODF Wizard - Enable SC Encryption.
    Figure 1: In the ODF wizard, enable StorageClass encryption.

    Enabling this option creates an additional StorageClass on the cluster, which we've set as the default StorageClass going forward:

    $ oc get sc
    NAME                                              PROVISIONER                             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
    gp2-csi                                           ebs.csi.aws.com                         Delete          WaitForFirstConsumer   true                   4h22m
    gp3-csi                                           ebs.csi.aws.com                         Delete          WaitForFirstConsumer   true                   4h22m
    localblock                                        kubernetes.io/no-provisioner            Delete          WaitForFirstConsumer   false                  35m
    ocs-storagecluster-ceph-rbd                       openshift-storage.rbd.csi.ceph.com      Delete          Immediate              true                   2m30s
    ocs-storagecluster-ceph-rbd-encrypted (default)   openshift-storage.rbd.csi.ceph.com      Delete          Immediate              true                   2m30s
    ocs-storagecluster-cephfs                         openshift-storage.cephfs.csi.ceph.com   Delete          Immediate              true                   2m49s

    1. Create a new Vault role and ACL for the tenant

    Each tenant (or namespace) can have its own Vault path (e.g., kv/tenant-a/). However, for simplicity, we've continued to use the odf backend path defined previously:

    oc -n vault exec pods/vault-0 -- \
        vault write auth/kubernetes/role/csi-kubernetes \
        bound_service_account_names=ceph-csi-vault-sa \
        bound_service_account_namespaces='*' \
        policies=odf \
        ttl=5m

    The previously defined Vault ACL grants full access (CRUDL) to all secrets under the odf/ path (which again, we're reusing here). If you haven't yet applied the Vault policy for ODF from the previous article, here it is again:

    oc -n vault exec -i pods/vault-0 -- vault policy write odf - <<EOF
    path "odf/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }
    path "sys/mounts" {
      capabilities = ["read"]
    }
    EOF

    2. Create an overriding ConfigMap in the tenant namespace

    We'll now create a new ConfigMap that mirrors some values from the original csi-kms-connection-details ConfigMap (in openshift-storage).

    Key point:

    We're carrying over settings like "vaultCAVerify": "true" to demonstrate that CA verification is still enabled. However, the actual CA certificate is not redefined here; it is still sourced from the original csi-kms-connection-details (key = vaultCAFromSecret) in openshift-storage.

    Let's create a test tenant namespace:

    oc new-project tenant-a

    Now apply the overriding ConfigMap:

    oc apply -f - <<EOF 
    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: csi-kms-connection-details
      namespace: tenant-a
    data:
      vault-tenant-sa: |-
        {
          "encryptionKMSType": "vaulttenantsa",
          "vaultAddress": "https://vault.vault.svc:8200",
          "vaultTLSServerName": "",
          "vaultAuthPath": "kubernetes",
          "vaultBackendPath": "odf",
          "vaultCAVerify": "true",
          "tenantSAName": "ceph-csi-vault-sa"
        }
    EOF

    Scaling tip:

    If you plan to apply this pattern across many tenants, consider using Red Hat Advanced Cluster Management for Kubernetes's PolicyGenerator to propagate these configurations cluster-wide (excluding system namespaces like openshift-* and kube-*).

    3. Create the tenant service account and assign permissions

    Create the service account:

    oc create sa ceph-csi-vault-sa -n tenant-a

    Grant it the necessary permissions via the auth-delegator role:

    oc adm policy add-role-to-user system:auth-delegator system:serviceaccount:tenant-a:ceph-csi-vault-sa

    Note that in ODF, the default service account name used for Vault integration in tenant namespaces is ceph-csi-vault-sa.

    4. Create PVCs in the tenant namespace using the new StorageClass

    Developers (or tenants) can now request encrypted volumes using the StorageClass configured for Vault:

    oc apply -f - <<EOF 
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: encrypted-pvc
      namespace: tenant-a
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 5Gi
      storageClassName: ocs-storagecluster-ceph-rbd-encrypted
      volumeMode: Block
    EOF

    The PVC expectedly goes into a Bound state:

    $ oc get pvc
    NAME            STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                            VOLUMEATTRIBUTESCLASS   AGE
    encrypted-pvc   Bound    pvc-b73d1006-5249-4091-9de5-3637c92b069e   5Gi        RWO            ocs-storagecluster-ceph-rbd-encrypted   <unset>                 3s

    We can now see that an additional Vault key has been created under the odf backend path with the prefix openshift-storage:

    $  oc -n vault exec vault-0 -- vault kv list odf
    Keys
    ----
    0001-0011-openshift-storage-0000000000000004-6d243b27-0eee-4f15-8a81-7219cb958923
    noobaa-root-master-key-backend
    rook-ceph-osd-encryption-key-ocs-deviceset-localblock-0-data-0whn2q
    rook-ceph-osd-encryption-key-ocs-deviceset-localblock-1-data-0twdbr
    rook-ceph-osd-encryption-key-ocs-deviceset-localblock-2-data-07ckr9

    Wrap up

    Per-namespace encryption with OpenShift Data Foundation and Vault unlocks powerful isolation and security controls for OpenShift clusters hosting sensitive or multi-tenant workloads.

    While cluster-wide encryption provides a strong baseline, the double encryption capability of ODF—applying encryption at the PV level—enables greater control and adherence to more rigorous compliance standards if that is relevant to your organization.

    Related Posts

    • Red Hat OpenShift Data Foundation for developers and data scientists

    • What enterprise developers need to know about security and compliance

    • Red Hat OpenShift Data Foundation topology considerations

    • Best practices for OpenShift Data Foundation disaster recovery resource planning

    • What is the difference between OpenShift and Kubernetes?

    Recent Posts

    • How to enable Ansible Lightspeed intelligent assistant

    • Why some agentic AI developers are moving code from Python to Rust

    • Confidential VMs: The core of confidential containers

    • Benchmarking with GuideLLM in air-gapped OpenShift clusters

    • Run Qwen3-Next on vLLM with Red Hat AI: A step-by-step guide

    What’s up next?

    Read Operating OpenShift, a practical guide to running and operating OpenShift clusters more efficiently using a site reliability engineering (SRE) approach. Learn best practices and tools that can help reduce the effort of deploying a Kubernetes platform.

    Get the e-book
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue