Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Cannot Reproduce
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Cloud Credentials Operator
Labels:
None

Target Version:
None
Work Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request

Additional KMS permission requirement for encrypted AMIs

2. What is the nature and description of the request?

If encrypted AMI is used in install-config.yaml during the cluster installation, it requires an extra KMS permission kms:ReEncrypt* for installation to succeed without any issues and to add the worker nodes to the cluster during installation. Currently, encrypting the AMI is not supported as there is no sensitive data stored in the AMIs.

3. Why does the customer need this? (List the business requirements here)
AMI/EBS encryption with custom key is required for security purposes.

4. List any affected packages or components.
CCO
machine-api

is related to

OCPBUGS-56225 Edge node with custom KMS key may not be created in particular edge zones due to kms:ReEncrypt* permission is missing in Machine API.

Closed

is triggering

OCPSTRAT-2202 AWS - BYO encrypted AMI documentation

links to

openshift/installer#9921: OCPBUGS-60837: include permissions for encrypted AMI

Assignee:: Marcos Entenza Garcia

Reporter:: Diksha Sharma

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/07/11 1:56 AM

Updated:: 2025/09/13 1:11 AM

Resolved:: 2025/04/22 7:43 AM

Target start:: None

Target end:: None

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates