aws
[EKS] [request]: add KMS Key ID to NodeClass
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request ability to define a KMS key ID in
apiVersion: eks.amazonaws.com/v1
kind: NodeClass
Which service(s) is this request for? EKS "auto mode"
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We are forced to use customer managed keys to encrypt volumes. This is currently not supported by NodeClass of apiVersion: eks.amazonaws.com/v1.
Are you currently working around this issue? I don't know how.
Additional context
Defining a KMS key is supported by EC2NodeClass in apiVersion: karpenter.sh/v1.
We are evaluating adding this field to NodeClass.
There is a workaround, you can follow docs to update policy of role attached to cluster
https://docs.aws.amazon.com/eks/latest/userguide/create-storage-class.html#_use_self_managed_kms_key_to_encrypt_ebs_volumes
Then do default account level encryption https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html
Currently documentation is misleading by telling that it's possible to configure custom KMS key for ephemeral storages.
It's here: https://docs.aws.amazon.com/eks/latest/userguide/settings-auto.html -> What features do you want to configure? -> Node networking and storage, there is an item Configure encrypted ephemeral storage with custom KMS keys
We are evaluating adding this field to NodeClass.
There is a workaround, you can follow docs to update policy of role attached to cluster
https://docs.aws.amazon.com/eks/latest/userguide/create-storage-class.html#_use_self_managed_kms_key_to_encrypt_ebs_volumes
Then do default account level encryption https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html
This is for storageclass, the initial request this for the ebs volume attached to the node
Currently documentation is misleading by telling that it's possible to configure custom KMS key for ephemeral storages. It's here: https://docs.aws.amazon.com/eks/latest/userguide/settings-auto.html ->
What features do you want to configure?->Node networking and storage, there is an itemConfigure encrypted ephemeral storage with custom KMS keys
Actually it is not, please run this command on your cluster to see the property details:
kubectl get crd nodeclasses.eks.amazonaws.com -o yaml | grep -A 5 kmsKeyID
It is under .spec.ephemeralStorage.kmsKeyID.
Actually it is not, please run this command on your cluster to see the property details:
Thank you, you're right. It should have been mentioned in NodeClass specification but it isn't.
However, even this does not fully resolve the original issue. EKS Auto Mode creates a 4Gb root volume, which cannot be encrypted via custom KMS key. As far as I understand, in Karpenter there is blockDeviceMappings for that in EC2NodeClass
This is available now https://docs.aws.amazon.com/eks/latest/userguide/create-node-class.html
@mikestef9 As noted in the previous comment by @ivelychko-mck, this change doesn't actually solve the original issue. It's still not possible to set the KMS key for the root volume, and so Auto Mode is unusable in our environment (the default encryption key is owned by another team, and we cannot update its policy).
Can the full blockDeviceMappings field be exposed, just as in EC2NodeClass?
Looks like we missed applying the KMS Key to the base Bottlerocket /dev/xvda volume. Working on fixing this asap.
This has been fully rolled out and addressed now. Auto Mode changelog has been updated https://docs.aws.amazon.com/eks/latest/userguide/auto-change.html
I have confirmed this is working for us now, thank you. This was the last blocker for EKS Auto Mode being usable in our environment. :-)