Bug 1900454 - Enable host-based disk encryption on Azure platform
Summary: Enable host-based disk encryption on Azure platform
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.7
Hardware: All
OS: Linux
Target Milestone: ---
: 4.8.0
Assignee: Joel Speed
QA Contact: Milind Yadav
Depends On:
Blocks: 1929721
TreeView+ depends on / blocked
Reported: 2020-11-23 05:05 UTC by Denis
Modified: 2021-07-27 22:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-07-27 22:34:24 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-api-provider-azure pull 183 0 None closed BUG 1900454: Add SecurityProfile.EncryptionAtHost parameter to enable host-based VM encryption 2021-02-19 12:07:54 UTC
Github openshift machine-api-operator pull 801 0 None closed Update capz for disk encryption 2021-03-03 08:12:09 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:34:53 UTC

Description Denis 2020-11-23 05:05:43 UTC
Description of problem:

Customers are requesting "encryption at host" feature on Azure to enable encryption of hypervisor-local resources including scratch volumes.

This feature is already supported in other cloud offerings (AKS) and we need to include this feature to arrive at parity.

Version-Release number of selected component (if applicable):
4.6, 4.7

How reproducible:

Steps to Reproduce:

Actual results:
This does not work on the current release.

Expected results:
The cloud provider code supports this feature.

Additional info:
A possible solution is to add an optional parameter into machine specification which can be used to prepare the appropriate Azure API request. I made a PRfor the change which can be found here: https://github.com/openshift/cluster-api-provider-azure/pull/183.

Comment 1 Michael McCune 2020-12-04 21:30:42 UTC
the PR associated with this issue is still under review

Comment 2 Joel Speed 2020-12-17 17:13:41 UTC
We are deferring this feature to 4.8

Comment 3 Joel Speed 2021-01-06 11:26:23 UTC
As this is being deferred, unsetting target release for now

Comment 11 Milind Yadav 2021-02-22 10:58:02 UTC
Validated on : 
[miyadav@miyadav ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-02-21-102854   True        False         45m     Cluster version is 4.8.0-0.nightly-2021-02-21-102854

Steps :

1. Copy the exiting machineset that comes with IPI installation 

oc get machineset <machineset-name> -o yaml > new_encrypt_at_rest.yaml

[miyadav@miyadav ~]$ oc get machineset
oc NAME                                       DESIRED   CURRENT   READY   AVAILABLE   AGE
miyadav-2202-5n7qm-worker-northcentralus   3         3         3       3           52m
[miyadav@miyadav ~]$ oc get machineset miyadav-2202-5n7qm-worker-northcentralus -o yaml > rhv/azure/encry_ms.yaml

2.create new machineset after replacing below values : 
name -> as per choice , replicas -> as per choice

Add below to spec section values :
 publicIP: false
                  encryptionAtHost: true


Run oc create -f new_encrypt_at_rest.yaml 

3.Describe the created machine

Expected and Actual result:
[miyadav@miyadav ~]$ oc describe machine miyadav-2202-5n7qm-worker-northcentralus-e-nk4zv | grep -i "Encryption" 
        Encryption At Host:  true

Additional Info :


Comment 14 errata-xmlrpc 2021-07-27 22:34:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.