Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60837

kms:ReEncrypt* permission is missing if using BYO encrypted AMI with BYO KMS key

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • Proposed
    • Installer Sprint 276, Installer Sprint 277
    • 2
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Feature details are described in https://issues.redhat.com/browse/OCPSTRAT-2202.  OCPSTRAT-2202 focuses on the document update, this bug is intended to track code changes in the installer repo (and machine API repo). 
      
      Besides the official update, the installer's minimum permission needs to be updated as well, if the feature need to be supported in 4.18-, we also need to update machine api.
          
      Version Control Plane Nodes Compute Nodes
      4.20 + Fail, kms:ReEncrypt* is missing from the min-permission list ( create permissions-policy command needs to know if byo-ami is encrypted by byo-kms key.) PASS, resolved by https://github.com/openshift/machine-api-operator/pull/1370
      4.19 Fail, same as above PASS, resolved by https://github.com/openshift/machine-api-operator/pull/1371
      4.18 - Fail, same as above Fail, no backport of 1371

       

      Version-Release number of selected component (if applicable):

      4.20

      How reproducible:

      Always

      Steps to Reproduce:

          1. ${ami_id} was encrypted by ${kms_arn}
      platform:
        aws:
          defaultMachinePlatform:
            amiID: ${ami_id}
            rootVolume:
              kmsKeyARN: ${kms_arn}
          2.
          3.
          

      Actual results:

      The control plane machine can not go into the running state.
          

      Expected results:

      cluster install success. 
          

      Additional info:

          

              padillon Patrick Dillon
              yunjiang-1 Yunfei Jiang
              None
              None
              Yunfei Jiang Yunfei Jiang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: