1900454 – Enable host-based disk encryption on Azure platform

Bug 1900454 - Enable host-based disk encryption on Azure platform

Summary: Enable host-based disk encryption on Azure platform

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Compute
Sub Component:
Version:	4.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Joel Speed
QA Contact:	Milind Yadav
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1929721
TreeView+	depends on / blocked

Reported:	2020-11-23 05:05 UTC by Denis
Modified:	2021-07-27 22:34 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 22:34:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift cluster-api-provider-azure pull 183	None	closed	BUG 1900454: Add SecurityProfile.EncryptionAtHost parameter to enable host-based VM encryption	2021-02-19 12:07:54 UTC
Github	openshift machine-api-operator pull 801	None	closed	Update capz for disk encryption	2021-03-03 08:12:09 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 22:34:53 UTC

Description Denis 2020-11-23 05:05:43 UTC

Description of problem:

Customers are requesting "encryption at host" feature on Azure to enable encryption of hypervisor-local resources including scratch volumes.

This feature is already supported in other cloud offerings (AKS) and we need to include this feature to arrive at parity.

Version-Release number of selected component (if applicable):
4.6, 4.7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
This does not work on the current release.

Expected results:
The cloud provider code supports this feature.

Additional info:
A possible solution is to add an optional parameter into machine specification which can be used to prepare the appropriate Azure API request. I made a PRfor the change which can be found here: https://github.com/openshift/cluster-api-provider-azure/pull/183.

Comment 1 Michael McCune 2020-12-04 21:30:42 UTC

the PR associated with this issue is still under review

Comment 2 Joel Speed 2020-12-17 17:13:41 UTC

We are deferring this feature to 4.8

Comment 3 Joel Speed 2021-01-06 11:26:23 UTC

As this is being deferred, unsetting target release for now

Comment 11 Milind Yadav 2021-02-22 10:58:02 UTC

Validated on : 
[miyadav@miyadav ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-02-21-102854   True        False         45m     Cluster version is 4.8.0-0.nightly-2021-02-21-102854


Steps :

1. Copy the exiting machineset that comes with IPI installation 

oc get machineset <machineset-name> -o yaml > new_encrypt_at_rest.yaml

example-
[miyadav@miyadav ~]$ oc get machineset
oc NAME                                       DESIRED   CURRENT   READY   AVAILABLE   AGE
miyadav-2202-5n7qm-worker-northcentralus   3         3         3       3           52m
[miyadav@miyadav ~]$ oc get machineset miyadav-2202-5n7qm-worker-northcentralus -o yaml > rhv/azure/encry_ms.yaml

2.create new machineset after replacing below values : 
name -> as per choice , replicas -> as per choice

Add below to spec section values :
.
.
.
 publicIP: false
          securityProfile:
                  encryptionAtHost: true

.
.

Run oc create -f new_encrypt_at_rest.yaml 

3.Describe the created machine

Expected and Actual result:
[miyadav@miyadav ~]$ oc describe machine miyadav-2202-5n7qm-worker-northcentralus-e-nk4zv | grep -i "Encryption" 
        Encryption At Host:  true


Additional Info :

Moved to VERIFIED

Comment 14 errata-xmlrpc 2021-07-27 22:34:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.