-
Bug
-
Resolution: Done
-
Major
-
None
-
4.19
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
Proposed
-
OpenShift SPLAT - Sprint 271
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In some particular Local Zones [1], the EBS volumes are encrypted by default KMS key while copying data from the its parent zone to Local Zone, which means the machine api needs to re-encrypt the data using a custom KMS key. e.g. 1. Copying EBS data from us-east-1-mia-1a's parent zone to us-east-1-mia-1a zone, the data is encrypted by default, if configure custom KMS in the config, we will get: NAME PHASE TYPE REGION ZONE AGE yunjiang-kms19b-xgkcb-edge-us-east-1-mia-1a-rw8cw Failed 75m ... status: conditions: - lastTransitionTime: "2025-05-14T04:12:42Z" status: "True" type: Drainable - lastTransitionTime: "2025-05-14T04:12:42Z" message: Instance has not been created reason: InstanceNotCreated severity: Warning status: "False" type: InstanceExists - lastTransitionTime: "2025-05-14T04:12:42Z" status: "True" type: Terminable errorMessage: Instance i-0dca0fe35942f30d8 is in a terminated state errorReason: InvalidConfiguration lastUpdated: "2025-05-14T04:13:28Z" phase: Failed providerStatus: conditions: - lastTransitionTime: "2025-05-14T04:12:52Z" message: Machine successfully created reason: MachineCreationSucceeded status: "True" type: MachineCreation instanceId: i-0dca0fe35942f30d8 instanceState: Unknown After adding kms:ReEncrypt* to the machine api policy, re-created local zone machine successfully: NAMESPACE NAME PHASE TYPE REGION ZONE AGE openshift-machine-api yunjiang-kms19b-xgkcb-edge-us-east-1-mia-1a-zbn5h Running m5.xlarge us-east-1 us-east-1-mia-1a 18m 2. No issues in us-east-1-iah-2a zone, as the data is not encrypted while copying it from its parent zone. [1] In the Atlanta Local Zone (us-east-1-atl-2a), the Chicago Local Zone (us-east-1-chi-2a), the Dallas Local Zone (us-east-1-dfw-2a), the Houston Local Zone (us-east-1-iah-2a), the Los Angeles Local Zones (us-west-2-lax-1a and us-west-2-lax-1b), the Miami Local Zone (us-east-1-mia-2a), and the Phoenix Local Zone (us-west-2-phx-2a), by default, the EBS volumes are not encrypted unless encryption by default is enabled for the account. In all other Local Zones, EBS volumes are encrypted by default using Amazon EBS encryption for data at rest and in transition between the Local Zone and its parent Region. By default, Amazon EBS encryption uses AWS Key Management Service (AWS KMS) and AWS managed keys. However, customers can specify customer managed keys as their default encryption key. see https://aws.amazon.com/about-aws/global-infrastructure/localzones/faqs/
Version-Release number of selected component (if applicable):
tested with 4.19.0-0.nightly-2025-05-13-053644, but all versions that support Local Zone may be affected.
How reproducible:
Always
Steps to Reproduce:
1. Create a cluster with Local Zone node in us-east-1-mia-1a with a custom KMS key. 2. 3.
Actual results:
The machine in Local Zone can not be created.
Expected results:
The machine in Local Zone can be created even if the data is already encrypted by the default KMS key.
Additional info:
- clones
-
OCPBUGS-56159 Edge node with custom KMS key may not be created in particular edge zones due to kms:ReEncrypt* permission is missing in Machine API.
-
- Verified
-
- is duplicated by
-
OCPBUGS-56159 Edge node with custom KMS key may not be created in particular edge zones due to kms:ReEncrypt* permission is missing in Machine API.
-
- Verified
-