Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56225

Edge node with custom KMS key may not be created in particular edge zones due to kms:ReEncrypt* permission is missing in Machine API.

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • Proposed
    • OpenShift SPLAT - Sprint 271
    • 1
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      In some particular Local Zones [1], the EBS volumes are encrypted by default KMS key while copying data from the its parent zone to Local Zone, which means the machine api needs to re-encrypt the data using a custom KMS key.
      
      e.g.
      1. Copying EBS data from us-east-1-mia-1a's parent zone to us-east-1-mia-1a zone, the data is encrypted by default, if configure custom KMS in the config, we will get:
      
      NAME                                            	PHASE 	TYPE     	REGION  	ZONE     	AGE
      yunjiang-kms19b-xgkcb-edge-us-east-1-mia-1a-rw8cw   Failed                                      	75m
      ...
      
      status:
        conditions:
        - lastTransitionTime: "2025-05-14T04:12:42Z"
      	status: "True"
      	type: Drainable
        - lastTransitionTime: "2025-05-14T04:12:42Z"
      	message: Instance has not been created
      	reason: InstanceNotCreated
      	severity: Warning
      	status: "False"
      	type: InstanceExists
        - lastTransitionTime: "2025-05-14T04:12:42Z"
      	status: "True"
      	type: Terminable
        errorMessage: Instance i-0dca0fe35942f30d8 is in a terminated state
        errorReason: InvalidConfiguration
        lastUpdated: "2025-05-14T04:13:28Z"
        phase: Failed
        providerStatus:
      	conditions:
      	- lastTransitionTime: "2025-05-14T04:12:52Z"
        	message: Machine successfully created
        	reason: MachineCreationSucceeded
        	status: "True"
        	type: MachineCreation
      	instanceId: i-0dca0fe35942f30d8
      	instanceState: Unknown
      
      After adding kms:ReEncrypt* to the machine api policy, re-created local zone machine successfully:
      
      NAMESPACE           	NAME                                            	PHASE 	TYPE     	REGION  	ZONE           	AGE
      openshift-machine-api   yunjiang-kms19b-xgkcb-edge-us-east-1-mia-1a-zbn5h   Running   m5.xlarge	us-east-1   us-east-1-mia-1a   18m
      
      2. No issues in us-east-1-iah-2a zone, as the data is not encrypted while copying it from its parent zone.
      
      [1] In the Atlanta Local Zone (us-east-1-atl-2a), the Chicago Local Zone (us-east-1-chi-2a), the Dallas Local Zone (us-east-1-dfw-2a), the Houston Local Zone (us-east-1-iah-2a), the Los Angeles Local Zones (us-west-2-lax-1a and us-west-2-lax-1b), the Miami Local Zone (us-east-1-mia-2a), and the Phoenix Local Zone (us-west-2-phx-2a), by default, the EBS volumes are not encrypted unless encryption by default is enabled for the account. In all other Local Zones, EBS volumes are encrypted by default using Amazon EBS encryption for data at rest and in transition between the Local Zone and its parent Region. By default, Amazon EBS encryption uses AWS Key Management Service (AWS KMS) and AWS managed keys. However, customers can specify customer managed keys as their default encryption key.
      
      see https://aws.amazon.com/about-aws/global-infrastructure/localzones/faqs/
      
          

      Version-Release number of selected component (if applicable):

      tested with 4.19.0-0.nightly-2025-05-13-053644, but all versions that support Local Zone may be affected.
          

      How reproducible:

      Always
          

      Steps to Reproduce:

          1. Create a cluster with Local Zone node in us-east-1-mia-1a with a custom KMS key.
          2.
          3.
          

      Actual results:

      The machine in Local Zone can not be created.
      
          

      Expected results:

      The machine in Local Zone can be created even if the data is already encrypted by the default KMS key.
      
          

      Additional info:

      
          

              rhn-support-mrbraga Marco Braga
              yunjiang-1 Yunfei Jiang
              None
              None
              Yunfei Jiang Yunfei Jiang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: