Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-410

BYOK for encryption should encrypt the default storageclass with the same key

XMLWordPrintable

    • Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-12(OUTCOME STUB) Cloud platform activation/retention for Managed OpenShift (ROSA/ARO/OSD non-Hypershift enhancements)
    • 0% To Do, 0% In Progress, 100% Done
    • 0

      1. Proposed title of this feature request
      BYOK encrypts root vols AND default storageclass

      2. What is the nature and description of the request?
      User story
      As a customer spinning up managed OpenShift clusters, if I pass a custom AWS KMS key to the installer, I expect it (installer and cluster-storage-operator) to not only encrypt the root volumes for the nodes in the cluster, but also be applied to encrypt the first/default (gp2 in current case) StorageClass, so that my assumptions around passing a custom key are met.
      In current state, if I pass a KMS key to the installer, only root volumes are encrypted with it, and the default AWS managed key is used for the default StorageClass.
      Perhaps this could be offered as a flag to set in the installer to further pass the key to the storage class, or not.

      3. Why does the customer need this? (List the business requirements here)
      To satisfy that customers wish to encrypt their owned volumes with their selected key instead of the AWS default account key, by accident.

      4. List any affected packages or components.

      • uncertain.

      Note: this implementation should take effect on AWS, GCP and Azure (any cloud provider) equally.

              rh-gs-gcharot Gregory Charot
              tkatarki@redhat.com Tushar Katarki
              Penghao Wang Penghao Wang
              Matthew Werner Matthew Werner
              Jonathan Dobson Jonathan Dobson
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: