-
Bug
-
Resolution: Done
-
Major
-
None
-
4.19
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
Proposed
-
OpenShift SPLAT - Sprint 271
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In some particular Local Zones [1], the EBS volumes are encrypted by default KMS key while copying data from the its parent zone to Local Zone, which means the machine api needs to re-encrypt the data using a custom KMS key.
e.g.
1. Copying EBS data from us-east-1-mia-1a's parent zone to us-east-1-mia-1a zone, the data is encrypted by default, if configure custom KMS in the config, we will get:
NAME PHASE TYPE REGION ZONE AGE
yunjiang-kms19b-xgkcb-edge-us-east-1-mia-1a-rw8cw Failed 75m
...
status:
conditions:
- lastTransitionTime: "2025-05-14T04:12:42Z"
status: "True"
type: Drainable
- lastTransitionTime: "2025-05-14T04:12:42Z"
message: Instance has not been created
reason: InstanceNotCreated
severity: Warning
status: "False"
type: InstanceExists
- lastTransitionTime: "2025-05-14T04:12:42Z"
status: "True"
type: Terminable
errorMessage: Instance i-0dca0fe35942f30d8 is in a terminated state
errorReason: InvalidConfiguration
lastUpdated: "2025-05-14T04:13:28Z"
phase: Failed
providerStatus:
conditions:
- lastTransitionTime: "2025-05-14T04:12:52Z"
message: Machine successfully created
reason: MachineCreationSucceeded
status: "True"
type: MachineCreation
instanceId: i-0dca0fe35942f30d8
instanceState: Unknown
After adding kms:ReEncrypt* to the machine api policy, re-created local zone machine successfully:
NAMESPACE NAME PHASE TYPE REGION ZONE AGE
openshift-machine-api yunjiang-kms19b-xgkcb-edge-us-east-1-mia-1a-zbn5h Running m5.xlarge us-east-1 us-east-1-mia-1a 18m
2. No issues in us-east-1-iah-2a zone, as the data is not encrypted while copying it from its parent zone.
[1] In the Atlanta Local Zone (us-east-1-atl-2a), the Chicago Local Zone (us-east-1-chi-2a), the Dallas Local Zone (us-east-1-dfw-2a), the Houston Local Zone (us-east-1-iah-2a), the Los Angeles Local Zones (us-west-2-lax-1a and us-west-2-lax-1b), the Miami Local Zone (us-east-1-mia-2a), and the Phoenix Local Zone (us-west-2-phx-2a), by default, the EBS volumes are not encrypted unless encryption by default is enabled for the account. In all other Local Zones, EBS volumes are encrypted by default using Amazon EBS encryption for data at rest and in transition between the Local Zone and its parent Region. By default, Amazon EBS encryption uses AWS Key Management Service (AWS KMS) and AWS managed keys. However, customers can specify customer managed keys as their default encryption key.
see https://aws.amazon.com/about-aws/global-infrastructure/localzones/faqs/
Version-Release number of selected component (if applicable):
tested with 4.19.0-0.nightly-2025-05-13-053644, but all versions that support Local Zone may be affected.
How reproducible:
Always
Steps to Reproduce:
1. Create a cluster with Local Zone node in us-east-1-mia-1a with a custom KMS key.
2.
3.
Actual results:
The machine in Local Zone can not be created.
Expected results:
The machine in Local Zone can be created even if the data is already encrypted by the default KMS key.
Additional info:
- clones
-
-
- Verified
-
- is duplicated by
-
-
- Verified
-
