Bug 2049872
Summary: | cluster storage operator AWS credentialsrequest lacks KMS privileges | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Dale Bewley <dbewley> |
Component: | Storage | Assignee: | Jonathan Dobson <jdobson> |
Storage sub component: | Storage | QA Contact: | Wei Duan <wduan> |
Status: | CLOSED ERRATA | Docs Contact: | Lisa Pettyjohn <lpettyjo> |
Severity: | high | ||
Priority: | high | CC: | adeshpan, aos-bugs, awestbro, jdobson, jsafrane, pkhaire, yunjiang |
Version: | 4.9 | ||
Target Milestone: | --- | ||
Target Release: | 4.11.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: |
The default credentials request for AWS has been modified to allow mounting of encrypted volumes using customer managed keys from KMS. Administrators who created credentials requests in manual mode with CCO will need to apply those changes manually if they intend to mount encrypted volumes using customer managed keys on AWS. Other administrators should not be impacted by this change.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-08-10 10:46:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2072191 |
Description
Dale Bewley
2022-02-02 20:10:48 UTC
Reproduced in 4.10.2 without fix: $ oc get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE mypvc Pending gp2-csi-enc 56m Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal WaitForPodScheduled 52m persistentvolume-controller waiting for pod mypod to be scheduled Warning ProvisioningFailed 52m ebs.csi.aws.com_ip-10-0-189-237_f9750b96-cdf4-4298-b399-f67e49be6119 failed to provision volume with StorageClass "gp2-csi-enc": rpc error: code = Internal desc = Could not create volume "pvc-047ae64e-8d1c-41d1-8140-7fc91ce1541c": failed to get an available volume in EC2: InvalidVolume.NotFound: The volume 'vol-05326553803a304c6' does not exist. status code: 400, request id: a642efc0-7074-4acb-b0f4-869ec913cd00 Warning ProvisioningFailed 26m (x14 over 52m) ebs.csi.aws.com_ip-10-0-189-237_f9750b96-cdf4-4298-b399-f67e49be6119 failed to provision volume with StorageClass "gp2-csi-enc": rpc error: code = AlreadyExists desc = Could not create volume "pvc-047ae64e-8d1c-41d1-8140-7fc91ce1541c": Parameters on this idempotent request are inconsistent with parameters used in previous request(s) Normal ExternalProvisioning <invalid> (x228 over 52m) persistentvolume-controller waiting for a volume to be created, either by external provisioner "ebs.csi.aws.com" or manually created by system administrator Normal Provisioning <invalid> (x23 over 52m) ebs.csi.aws.com_ip-10-0-189-237_f9750b96-cdf4-4298-b399-f67e49be6119 External provisioner is provisioning volume for claim "wduan/mypvc" [wduan@preserve-wduan-ws ~]$ oc get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer true 3h59m gp2-csi ebs.csi.aws.com Delete WaitForFirstConsumer true 3h58m gp2-csi-enc ebs.csi.aws.com Delete WaitForFirstConsumer true 58m gp3-csi ebs.csi.aws.com Delete WaitForFirstConsumer true 3h58m Verified pass with $ oc get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE mypvc Bound pvc-097f3046-495d-4b01-90a1-f21bd001bccf 2Gi RWO gp2-csi-enc 8m8s $ oc get pod NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 7m39s Marked as Verified. *** Bug 2066813 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |