Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add support for creating KMS key for KMS-encrypted Volumes (cluster-nodes & PVCs) #2138

Closed
philicious opened this issue Jul 4, 2022 · 4 comments
Closed

feat: Add support for creating KMS key for KMS-encrypted Volumes (cluster-nodes & PVCs) #2138

philicious opened this issue Jul 4, 2022 · 4 comments

Comments

@philicious
Copy link
Contributor

philicious commented Jul 4, 2022
edited
Loading

Is your request related to a problem? Please describe.

#2121 added support for creating a KMS key, which is then used for secrets encryption.

Now, users also might want to encrypt the EBS volumes. Either with the same KMS key or even a separate one. The key needs policies so the Autoscaler Service-linked role (cluster nodes) as well as the Cluster-Role (for PVCs) can both successfully work with these volumes.
See for permissions https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html (in addition to that, the cluster-role needs to be added as principal.

Describe the solution you'd like.

Either add these policies optionally to the existing key and use that key in block_device_mappings.ebs config if none specified.
Or add a second KMS key for EBS volumes.

Describe alternatives you've considered.

Up until now, I create KMS key myself with the mentioned policies

Additional context

code used to create the encrypted cluster-node volumes, for which the Autoscaler Service-linked role needs the permissions

eks_managed_node_group_defaults {
    block_device_mappings = {
      default = {
        device_name = "/dev/xvda"

        ebs = {
          encrypted             = true
          kms_key_id            = module.kms.key_arn
        }
      }
    }
}

in addition, a StorageClass with encryption settings is used, for which the cluster-role needs the permissions so persistentvolume-controller can create PVCs. (Also the ebs-csi driver needs same permissions )

parameters:
  type: gp3
  encrypted: "true"
  kmsKeyId: "${kmsKey}"
@bryantbiggs
Copy link
Member

This one is quite a bit more complex and I'm not sure yet if support is possible. I will have to think on this a bit more but open to ideas here

@github-actions
Copy link

github-actions bot commented Aug 5, 2022

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Aug 5, 2022
@github-actions
Copy link

This issue was automatically closed because of stale in 10 days

@github-actions
Copy link

github-actions bot commented Nov 9, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philicious @bryantbiggs