Skip to main content
apiVersion: v1alpha1
kind: VolumeConfig
name: EPHEMERAL # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
    # The disk selector expression.
    diskSelector:
        match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
    maxSize: 50GiB # The maximum size of the volume, if not specified the volume can grow to the size of the

    # # The minimum size of the volume.
    # minSize: 2.5GiB

# # The encryption describes how the volume is encrypted.
# encryption:
#     provider: luks2 # Encryption provider to use for the encryption.
#     # Defines the encryption keys generation and storage method.
#     keys:
#         - slot: 0 # Key slot number for LUKS2 encryption.
#           # Key which value is stored in the configuration file.
#           static:
#             passphrase: exampleKey # Defines the static passphrase value.
#
#           # # KMS managed encryption key.
#           # kms:
#           #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#         - slot: 1 # Key slot number for LUKS2 encryption.
#           # KMS managed encryption key.
#           kms:
#             endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
#     cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
#     blockSize: 4096 # Defines the encryption sector size.
#     # Additional --perf parameters for the LUKS2 encryption.
#     options:
#         - no_read_workqueue
#         - no_write_workqueue
FieldTypeDescriptionValue(s)
namestringName of the volume.
provisioningProvisioningSpecThe provisioning describes how the volume is provisioned.
encryptionEncryptionSpecThe encryption describes how the volume is encrypted.
mountMountSpecThe mount describes additional mount options.
trimTrimConfigThe trim describes the per-volume filesystem trim (fstrim) configuration.

provisioning

ProvisioningSpec describes how the volume is provisioned.
FieldTypeDescriptionValue(s)
diskSelectorDiskSelectorThe disk selector expression.
growboolShould the volume grow to the size of the disk (if possible).
minSizeByteSizeThe minimum size of the volume.

Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB.
maxSizeSizeThe maximum size of the volume, if not specified the volume can grow to the size of the
disk.

Size is specified in bytes or in percents. It can be expressed in human readable format, e.g. 100MB.

diskSelector

DiskSelector selects a disk for the volume.
FieldTypeDescriptionValue(s)
matchExpressionThe Common Expression Language (CEL) expression to match the disk.

encryption

EncryptionSpec represents volume encryption settings. 
encryption:
    provider: luks2 # Encryption provider to use for the encryption.
    # Defines the encryption keys generation and storage method.
    keys:
        - slot: 0 # Key slot number for LUKS2 encryption.
          # Key which value is stored in the configuration file.
          static:
            passphrase: exampleKey # Defines the static passphrase value.

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
        - slot: 1 # Key slot number for LUKS2 encryption.
          # KMS managed encryption key.
          kms:
            endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
    cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
    blockSize: 4096 # Defines the encryption sector size.

    # # Additional --perf parameters for the LUKS2 encryption.
    # options:
    #     - no_read_workqueue
    #     - no_write_workqueue
FieldTypeDescriptionValue(s)
providerEncryptionProviderTypeEncryption provider to use for the encryption.luks2
keysEncryptionKeyDefines the encryption keys generation and storage method.
cipherstringCipher to use for the encryption. Depends on the encryption provider.aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
keySizeuintDefines the encryption key length.
blockSizeuint64Defines the encryption sector size.
options[]stringAdditional —perf parameters for the LUKS2 encryption.
allowDiscardsboolAllow TRIM/discard requests to be passed through to the underlying device when the encrypted volume is opened.
Defaults to false.

keys[]

EncryptionKey represents configuration for disk encryption key.
FieldTypeDescriptionValue(s)
slotintKey slot number for LUKS2 encryption.
staticEncryptionKeyStaticKey which value is stored in the configuration file.
nodeIDEncryptionKeyNodeIDDeterministically generated key from the node UUID and PartitionLabel.
kmsEncryptionKeyKMSKMS managed encryption key.
tpmEncryptionKeyTPMEnable TPM based disk encryption.
lockToStateboolLock the disk encryption key to the random salt stored in the STATE partition. This is useful to prevent the volume from being unlocked if STATE partition is compromised or replaced. It is recommended to use this option with TPM disk encryption for non-STATE volumes.

static

EncryptionKeyStatic represents throw away key type.
FieldTypeDescriptionValue(s)
passphrasestringDefines the static passphrase value.

nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server. 
encryption:
    keys:
        - kms:
            endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
FieldTypeDescriptionValue(s)
endpointstringKMS endpoint to Seal/Unseal the key.

tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
FieldTypeDescriptionValue(s)
optionsEncryptionKeyTPMOptionsTPM options for key protection.
checkSecurebootStatusOnEnrollboolCheck that Secureboot is enabled in the EFI firmware.
If Secureboot is not enabled, the enrollment of the key will fail.
options
EncryptionKeyTPMOptions represents the options for TPM-based key protection.
FieldTypeDescriptionValue(s)
pcrs[]intList of PCRs to bind the key to. If not set, defaults to PCR 7, can be disabled by passing an empty list.

mount

MountSpec describes how the volume is mounted.
FieldTypeDescriptionValue(s)
secureboolEnable secure mount options (nosuid, nodev).

Defaults to true for better security.
Supported only for EPHEMERAL volume.
disableAccessTimeboolIf true, disable file access time updates.

Supported only for EPHEMERAL volume.

trim

TrimConfig describes per-volume filesystem trim (fstrim) configuration. It overrides the global FilesystemTrimConfig for the volume.
FieldTypeDescriptionValue(s)
enabledboolEnable or disable trimming for this volume.

If not set, trimming is enabled when the global FilesystemTrimConfig is present.
intervalDurationThe interval at which the volume is trimmed, overriding the global trim interval.