-
Epic
-
Resolution: Done
-
Critical
-
None
-
Enable Google customer managed keys for disk encryption at install
-
Done
-
OCPPLAN-5039 - Bring your own Key for OpenShift/GCP IPI
-
0% To Do, 0% In Progress, 100% Done
Goal:
As an administrator, I would like to deploy OpenShift 4 on Google Cloud with VM disk encryption leveraging a user-managed encryption key.
Problem:
Many organizations require disks to be encrypted on their application nodes using a pre-defined, user-managed key. Today, OpenShift only supports encryption at rest with platform managed keys, but we do not support the use of user-managed keys.
Why is this important:
- Many corporate security policies mandate disk encryption on their application nodes. Without this support, it's blocking the adopt of OpenShift 4 on Google for many organizations.
Lifecycle Information:
- Core
Previous Work:
Dependencies:
Prioritized epics + deliverables (in scope / not in scope):
Estimate (XS, S, M, L, XL, XXL):
Customers:
Open questions:
Implementation:
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
gcp:
osDisk:
diskType: pd-standard
diskSizeGB: 512
encryptionKey:
kmsKey:
keyRing: <key ring name>
location: <global or us-central1 etc>
name: <key name>
kmsKeyServiceAccount (optional string): <this has no effect at install time - for 2nd day operations>
projectID: <projectID>