Skip to Main Content

Containers, Cloud Native & Kubernetes


For appeals, questions and feedback, please email

Policy for openebs cstor to access block volume with master key

user-lwmo7Oct 7 2023 — edited Oct 8 2023

Good afternoon everyone.

I am hoping someone has run into this or can provide insight into an issue I am having. I am installing openebs cstor into an OKE cluster and running into what seems like a permission/policy issue. My rationale for this is that if I remove my vault/master key from the block volumes, everything works fine. The volumes are still encrypted at rest, but with an Oracle key.

However, when encrypted with my key, I have no problems attaching the volumes to the node pool instances. I have no issue with the installation of cstor. Cstor is able to find the block volumes on each node instance. They show as unclaimed, which is what I'd expect. However, when I attempt to create the cluster pool, it fails indicating that the block volume is not owned by the node. That is clearly wrong and a symptom of the issue, which appears to be a permission problem.

I have added the policies identified on this page for boot and block volumes, but that does not seem to be enough to get past this issue. I am hoping someone can give me a pointer in the right direction to resolve this issue. Thanks.

Post Details
Added on Oct 7 2023