New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement STOR-213 - Default Encryption for GP2 #32
Conversation
what is osd, dedicated? openshift-ansible defaulted to encrypted: false. https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_default_storage_class/defaults/main.yml#L12 |
Yes. Dedicated. They were changing after install for new customers. I would
expect most others would as well.
In addition, we use encrypted AMIs now in AWS via the OCP 4.1 installer.
This change ensures additional EBS volumes default to encrypted as well.
|
OK, sgtm, let's get this change in before code freeze then... Please run |
In 3.x, PV encryption is enabled by default in the gp2 storage class. On a recent OCP 4.1 install, I see that the default storage class does not have it enabled: kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: gp2 ... annotations: storageclass.kubernetes.io/is-default-class: 'true' ownerReferences: ... provisioner: kubernetes.io/aws-ebs parameters: type: gp2 reclaimPolicy: Delete volumeBindingMode: WaitForFirstConsumer
Pushed the bin change as well. Thanks! |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cuppett, wongma7 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Encrypting Data at Datastore Layer
In 3.x, PV encryption is enabled by default in the gp2 storage class. On a recent OCP 4.1 install, I see that the default storage class does not have it enabled:
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: gp2
...
annotations:
storageclass.kubernetes.io/is-default-class: 'true'
ownerReferences:
...
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp2
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
We would like to see this default storage class be encrypted by default to mirror the behavior of OSD 3.x clusters.