Description of problem:
AWS clusters installed by the cluster have never had . Since bug 1734193 was fixed, we can ask the machine-API provider to provision workers with encrypted root volumes even for Machine(Set)s that use unencrypted AMIs . Questions are:
1. Do we want encrypted root volumes on compute machines? We already encrypt root volumes for the bootstrap and control-plane machines (via copy-and-encrypted AMIs for those Terraform-provisioned machines). When this is just a question of setting a property in the compute MachineSets, I don't see why we wouldn't want encrypted compute machines.
2. If we do want encrypted compute machines, do we want to backport that to previous releases? I don't really care about this point. Folks who are installing new clusters are unlikely to stick to 4.1 for long after 4.2 is out. Folks who installed a 4.1 cluster and subsequently upgrade it will likely continue to upgrade through 4.2 (although you'd need some non-installer component if you wanted to get encrypted instances after an upgrade). Folks who installed a 4.1 cluster and who never upgrade it aren't going to get new cluster behavior however we provide it. I'm fine backporting the small fix to 4.1.z so new-cluster folks can benefit without having to wait for 4.2.0. But I'm also fine leaving the old branches alone.
This is an RFE, will track via JIRA if and when this is requested by PM.