Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow root volume encryption (on AWS) #9728

Closed
ghost opened this issue Aug 11, 2020 · 9 comments · Fixed by #9793 or #10359
Closed

Allow root volume encryption (on AWS) #9728

ghost opened this issue Aug 11, 2020 · 9 comments · Fixed by #9793 or #10359
Assignees
@hakman
Labels
area/provider/aws Issues or PRs related to aws provider kind/feature Categorizes issue or PR as related to a new feature.
Milestone
v1.19

Comments

@ghost
Copy link

ghost commented Aug 11, 2020

When you have to use encryption at rest, you currently have to create your own encrypted AMIs on AWS and use these as base image.

With AWS you can create EC2 instances directly from a public AMI with an encrypted root volume with you own KMS key. In Terraform, for example, you could do this:

resource "aws_instance" "foobar" {
  ...

  root_block_device {
    volume_size = 256
    encrypted = true
    kms_key_id = data.aws_kms_key.my-key.arn
  }
}

InstanceGroups should support this, too. Suggestion:

apiVersion: kops.k8s.io/v1alpha2
kind: InstanceGroup
metadata:
  labels:
    kops.k8s.io/cluster: example.com
  name: nodes
spec:
  image: <random public image>
  role: Node
  ...
  rootVolumeEncryption: true
  rootVolumeEncryptionKey: <key ARN>
  ...
@johngmyers
Copy link
Member

/kind feature
/area provider/aws

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. area/provider/aws Issues or PRs related to aws provider labels Aug 11, 2020
@hakman hakman added this to the v1.19 milestone Aug 19, 2020
@hakman hakman mentioned this issue Aug 21, 2020
Merged
@hakman
Copy link
Member

hakman commented Aug 21, 2020

@MichaelJDrK do you really need a specific KMS key or the default one will do just fine?

@ghost
Copy link
Author

ghost commented Sep 3, 2020

@MichaelJDrK do you really need a specific KMS key or the default one will do just fine?

Sorry for the late answer, I've been on vacation.

Yes, for compliance reasons we have to use customer managed keys (CMK), so we need to provide a specific KMS key

@hakman
Copy link
Member

hakman commented Sep 3, 2020

OK, thanks for explaining. Will try to add the encryption keys also in kops 1.19.

@hakman hakman reopened this Sep 3, 2020
@hakman hakman self-assigned this Sep 3, 2020
@djerraballi
Copy link

djerraballi commented Sep 17, 2020
edited
Loading

so as of right now will the root volume encryption flag use the default? Or is the flag just added to the spec, but not actively used?

Edit: nvm see that it's being passed through to the auto scaling group.

@YiannisH
Copy link

YiannisH commented Nov 16, 2020
edited
Loading

so as of right now will the root volume encryption flag use the default? Or is the flag just added to the spec, but not actively used?

Edit: nvm see that it's being passed through to the auto scaling group.

As of today which 1.19 is in beta i only see the the root volume encryption can enabled but not with a custom kms key. Correct me if i am wrong.. see here the code 36fbf9f#diff-a0bf037707fdd86cfc323f077cc9fff8c5b3bc7dbf6bfc23cfcb6ae572ce88f3

@hakman Can you please verify the status of this?
Thanks

@scDisorder
Copy link

so as of right now will the root volume encryption flag use the default? Or is the flag just added to the spec, but not actively used?
Edit: nvm see that it's being passed through to the auto scaling group.

As of today which 1.19 is in beta i only see the the root volume encryption can enabled but not with a custom kms key. Correct me if i am wrong.. see here the code 36fbf9f#diff-a0bf037707fdd86cfc323f077cc9fff8c5b3bc7dbf6bfc23cfcb6ae572ce88f3

@hakman Can you please verify the status of this?
Thanks

Nope, it is just a field now waiting for its realisation. I hope i'll commit it soon.

@hakman hakman mentioned this issue Dec 3, 2020
Merged
@DOboznyi
Copy link
Contributor

@hakman we faced with issue that if you add volume encryption key and encryption itself kops provide new version of launch template, but it doesn't switch default version to new version of launch template. So we should do it manually.

@hakman
Copy link
Member

hakman commented Feb 16, 2021

@DOboznyi please create an issue with simplest way to reproduce the problem and will take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hakman hakman

Labels
area/provider/aws Issues or PRs related to aws provider kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
v1.19
7 participants
@johngmyers @djerraballi @hakman @YiannisH @scDisorder @k8s-ci-robot @DOboznyi