Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-410

BYOK for encryption should encrypt the default storageclass with the same key


    • False
    • Hide


    • False
    • OCPSTRAT-12(OUTCOME STUB) Cloud platform activation/retention for Managed OpenShift (ROSA/ARO/OSD non-Hypershift enhancements)
    • 0% To Do, 0% In Progress, 100% Done
    • 0

      1. Proposed title of this feature request
      BYOK encrypts root vols AND default storageclass

      2. What is the nature and description of the request?
      User story
      As a customer spinning up managed OpenShift clusters, if I pass a custom AWS KMS key to the installer, I expect it (installer and cluster-storage-operator) to not only encrypt the root volumes for the nodes in the cluster, but also be applied to encrypt the first/default (gp2 in current case) StorageClass, so that my assumptions around passing a custom key are met.
      In current state, if I pass a KMS key to the installer, only root volumes are encrypted with it, and the default AWS managed key is used for the default StorageClass.
      Perhaps this could be offered as a flag to set in the installer to further pass the key to the storage class, or not.

      3. Why does the customer need this? (List the business requirements here)
      To satisfy that customers wish to encrypt their owned volumes with their selected key instead of the AWS default account key, by accident.

      4. List any affected packages or components.

      • uncertain.

      Note: this implementation should take effect on AWS, GCP and Azure (any cloud provider) equally.

            rh-gs-gcharot Gregory Charot
            tkatarki@redhat.com Tushar Katarki
            Penghao Wang Penghao Wang
            Matthew Werner Matthew Werner
            Jonathan Dobson Jonathan Dobson
            Eric Rich Eric Rich
            0 Vote for this issue
            6 Start watching this issue