Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1494

Enable Azure DiskEncryptionSets at install time

XMLWordPrintable

    • RFE: Enable Azure DiskEncryptionSets at Install time
    • BU Product Work
    • Done
    • OCPSTRAT-308 - Azure Security Enhancements
    • Impediment
    • OCPSTRAT-308Azure Security Enhancements
    • 0% To Do, 0% In Progress, 100% Done
    • ARO

      Goal:

      As an administrator, I would like to deploy OpenShift 4 on Microsoft Azure with VM disk encryption leveraging a user-managed encryption key.

      Problem:

      Many organizations require disks to be encrypted on their application nodes using a pre-defined, user-managed key. Today, OpenShift only supports encryption at rest with platform managed keys using Azure's Server-Side Encryption service,  but we do not support the use of DiskEncryptionSets with user-managed keys.

      OpenShift should be able to handle three scenarios:

      1. Deploy OpenShift VM's with SSE enabled using platform-managed keys (default)
      2. Adopt an existing, user-managed DiskEncryptionSet + Key Vault associated with a specific RG prior to installing the cluster.

      Why is this important:

      • Many corporate security policies mandate disk encryption on their application nodes. Without this support, it's blocking the adopt of OpenShift 4 on Azure for many organizations.

      Lifecycle Information:

      • Core

      Previous Work:

      Dependencies:

      • Machine API (for providing DiskEncryptionSet to newly created nodes)
      • Control Plane Node recovery process (so new control plane nodes use the DiskEncryptionSet)

      Prioritized epics + deliverables (in scope / not in scope):

      • Add Azure install-config option to provide a user-managed DiskEncryptionSet + Key Vault & Key that will be used for VM creation
      • Provision and assign RHCOS nodes to the user-managed DiskEncryptionSet
      • Document how to configure DiskEncryptionSet + Key Vault & Key on Azure at install time
      • Integrate into CI framework for ensuring root volumes are being encrypted with user-managed encryption key at install time

      Estimate (XS, S, M, L, XL, XXL): L

       

      Customers:

       

      Open questions:

       

          There are no Sub-Tasks for this issue.

              jhixson_redhat John Hixson
              mak.redhat.com Marcos Entenza Garcia
              Mike Gahagan Mike Gahagan
              Votes:
              6 Vote for this issue
              Watchers:
              27 Start watching this issue

                Created:
                Updated:
                Resolved: