Bug 1738354 - AWS encrypt root volumes for compute machines
Summary: AWS encrypt root volumes for compute machines
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.2.0
Assignee: W. Trevor King
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-06 22:31 UTC by W. Trevor King
Modified: 2019-08-19 17:52 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 17:52:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 2160 0 None None None 2019-08-06 22:32:25 UTC

Description W. Trevor King 2019-08-06 22:31:48 UTC
Description of problem:

AWS clusters installed by the cluster have never had .  Since bug 1734193 was fixed, we can ask the machine-API provider to provision workers with encrypted root volumes even for Machine(Set)s that use unencrypted AMIs [1].  Questions are:

1. Do we want encrypted root volumes on compute machines?  We already encrypt root volumes for the bootstrap and control-plane machines (via copy-and-encrypted AMIs for those Terraform-provisioned machines).  When this is just a question of setting a property in the compute MachineSets, I don't see why we wouldn't want encrypted compute machines.
2. If we do want encrypted compute machines, do we want to backport that to previous releases?  I don't really care about this point.  Folks who are installing new clusters are unlikely to stick to 4.1 for long after 4.2 is out.  Folks who installed a 4.1 cluster and subsequently upgrade it will likely continue to upgrade through 4.2 (although you'd need some non-installer component if you wanted to get encrypted instances after an upgrade).  Folks who installed a 4.1 cluster and who never upgrade it aren't going to get new cluster behavior however we provide it.  I'm fine backporting the small fix to 4.1.z so new-cluster folks can benefit without having to wait for 4.2.0.  But I'm also fine leaving the old branches alone.

Thoughts?

[1]: https://github.com/openshift/installer/pull/2160

Comment 1 Scott Dodson 2019-08-19 17:52:28 UTC
This is an RFE, will track via JIRA if and when this is requested by PM.


Note You need to log in before you can comment on or make changes to this bug.