Kops: [AWS] Feature Request: Encrypted volume support in storage-aws.addons.k8s.io
I would like the ability to have the default EBS storage class provision encrypted volumes. I image configuring this through the cluster_spec:
spec:
cloudConfig:
awsStorageEnrypted: true
Resulting in storage-aws.addons.k8s.io/v1.7.0.yaml having the encrypted: true flag:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: default
labels:
k8s-addon: storage-aws.addons.k8s.io
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp2
encrypted: true
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gp2
annotations:
storageclass.beta.kubernetes.io/is-default-class: "true"
labels:
k8s-addon: storage-aws.addons.k8s.io
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp2
encrypted: true
steveruckdashel
All 21 comments
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 8 Apr 2018
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale
fejta-bot
on 8 May 2018
Regarding a workaround:
As far as I understand the code, kops will currently try to update the addon whenever the addon changes (via protokube and channels (RunApplyChannel, Addon.GetRequiredUpdates, ChannelVersion.replaces)).
This means if I change the existing storage class to be encrypted and kops updates the addon (e.g. during a Kubernetes upgrade), it will be replaced, right?
Is there a way to ensure this doesn't happen? I wouldn't like accidentally _not_ encrypting volumes after a cluster upgrade.
/remove-lifecycle rotten
mfrister
on 5 Jun 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 3 Sep 2018
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 3 Oct 2018
Can anyone tell me if there is a way to have the default storage class be encrypted without this patch?
From what I can tell the kops storage add on seems to re-configure the gp2 storage class to be marked as default even if I remove the storageclass.beta.kubernetes.io/is-default-class:"true" annotation and set another storage class as default, resulting in 2 default storage classes.
carpenterm
on 16 Oct 2018
/remove-lifecycle rotten
carpenterm
on 16 Oct 2018
@carpenterm I removed both storage classes set up by kops and recreated them with encrypted: true and things seem to be well, even across major cluster upgrades. I didn't check the code, so no promises things aren't going to break.
mfrister
on 17 Oct 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 15 Jan 2019
/remove-lifecycle stale
mfrister
on 15 Jan 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 15 Apr 2019
/remove-lifecycle stale
mfrister
on 17 Apr 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 16 Jul 2019
/remove-lifecycle stale
mfrister
on 16 Jul 2019
Another workaround if you're wiling to encrypt all new EBS volumes in the region is to enable encryption by default with aws ec2 modify-ebs-default-kms-key-id. With this setting enabled, all newly provisioned EBS volumes will be encrypted by default, including volumes created through the k8s storage classes.
rifelpet
on 2 Aug 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 31 Oct 2019
/remove-lifecycle stale
mfrister
on 1 Nov 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 30 Jan 2020
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 29 Feb 2020
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
fejta-bot
on 30 Mar 2020
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 30 Mar 2020
Related issues
DocValerian
路
4Comments
Caskia
路
3Comments
owenmorgan
路
3Comments
thejsj
路
4Comments
rot26
路
5Comments
Most helpful comment
Another workaround if you're wiling to encrypt all new EBS volumes in the region is to enable encryption by default with
aws ec2 modify-ebs-default-kms-key-id. With this setting enabled, all newly provisioned EBS volumes will be encrypted by default, including volumes created through the k8s storage classes.