Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option for setting the volume encryption key in AWS #10359

Merged
merged 3 commits into from
Dec 8, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 26 additions & 7 deletions docs/tutorial/working-with-instancegroups.md
Original file line number Diff line number Diff line change
Expand Up @@ -234,9 +234,29 @@ spec:
rootVolumeIops: 200
```

## Encrypting the root volume
{{ kops_feature_table(kops_added_default='1.19') }}

You can encrypt the root volume _(note, presently confined to AWS)_ via the instancegroup specification.

```YAML
metadata:
name: nodes
spec:
...
role: Node
rootVolumeSize: 200
rootVolumeEncryption: true
rootVolumeEncryptionKey: arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab
```

In the above example the encryption key is optional. The default key for EBS encryption is used when not specified.
The encryption key can specified as the key ID, alias or ARN, as described in the [AWS docs](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id).

## Adding additional storage to the instance groups
{{ kops_feature_table(kops_added_default='1.12') }}

As of kOps 1.12.0 you can add additional storage _(note, presently confined to AWS)_ via the instancegroup specification.
You can add additional storage _(note, presently confined to AWS)_ via the instancegroup specification.

```YAML
---
Expand All @@ -254,12 +274,13 @@ spec:
...
volumes:
- device: /dev/xvdd
encrypted: true
size: 20
type: gp2
encrypted: true
key: arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab
```

In AWS the above example shows how to add an additional 20gb EBS volume, which applies to each node within the instancegroup.
In AWS the above example shows how to add an additional encrypted 20gb EBS volume, which applies to each node within the instancegroup.

## Automatically formatting and mounting the additional storage

Expand Down Expand Up @@ -347,13 +368,11 @@ So the procedure is:
* Apply: `kops update cluster <clustername> --yes`
* (no instances need to be relaunched, so no rolling-update is needed)

## Creating a instance group of mixed instances types (AWS Only)
## Creating an instance group of mixed instances types (AWS Only)
{{ kops_feature_table(kops_added_default='1.12') }}

AWS permits the creation of mixed instance EC2 Autoscaling Groups using a [mixed instance policy](https://aws.amazon.com/blogs/aws/new-ec2-auto-scaling-groups-with-multiple-instance-types-purchase-options/), allowing the users to build a target capacity and make up of on-demand and spot instances while offloading the allocation strategy to AWS.

Support for mixed instance groups was added in kOps 1.12.0


```YAML
---
apiVersion: kops.k8s.io/v1alpha2
Expand Down
6 changes: 6 additions & 0 deletions k8s/crds/kops.k8s.io_instancegroups.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,9 @@ spec:
rootVolumeEncryption:
description: RootVolumeEncryption enables EBS root volume encryption for an instance
type: boolean
rootVolumeEncryptionKey:
description: RootVolumeEncryptionKey provides the key identifier for root volume encryption
type: string
rootVolumeIops:
description: If volume type is io1, then we need to specify the number of Iops.
format: int32
Expand Down Expand Up @@ -628,6 +631,9 @@ spec:
description: Iops is the provision iops for this iops (think io1 in aws)
format: int64
type: integer
key:
description: Key is the encryption key identifier for the volume
type: string
size:
description: Size is the size of the volume in GB
format: int64
Expand Down
1 change: 0 additions & 1 deletion netlify.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,5 @@
[build]
publish = "site"
command = "make build-docs-netlify"
ignore = "git diff --quiet HEAD^ HEAD netlify.toml Makefile mkdocs.yml docs/ images/ hack/"
# available here https://github.com/netlify/build-image/blob/xenial/included_software.md#languages
environment = { PYTHON_VERSION = "3.7" }
4 changes: 4 additions & 0 deletions pkg/apis/kops/instancegroup.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,8 @@ type InstanceGroupSpec struct {
RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
// RootVolumeEncryption enables EBS root volume encryption for an instance
RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
// RootVolumeEncryptionKey provides the key identifier for root volume encryption
RootVolumeEncryptionKey *string `json:"rootVolumeEncryptionKey,omitempty"`
// Volumes is a collection of additional volumes to create for instances within this InstanceGroup
Volumes []VolumeSpec `json:"volumes,omitempty"`
// VolumeMounts a collection of volume mounts
Expand Down Expand Up @@ -225,6 +227,8 @@ type VolumeSpec struct {
Encrypted *bool `json:"encrypted,omitempty"`
// Iops is the provision iops for this iops (think io1 in aws)
Iops *int64 `json:"iops,omitempty"`
// Key is the encryption key identifier for the volume
Key *string `json:"key,omitempty"`
// Size is the size of the volume in GB
Size int64 `json:"size,omitempty"`
// Type is the type of volume to create and is cloud specific
Expand Down
4 changes: 4 additions & 0 deletions pkg/apis/kops/v1alpha2/instancegroup.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ type InstanceGroupSpec struct {
RootVolumeDeleteOnTermination *bool `json:"rootVolumeDeleteOnTermination,omitempty"`
// RootVolumeEncryption enables EBS root volume encryption for an instance
RootVolumeEncryption *bool `json:"rootVolumeEncryption,omitempty"`
// RootVolumeEncryptionKey provides the key identifier for root volume encryption
RootVolumeEncryptionKey *string `json:"rootVolumeEncryptionKey,omitempty"`
// Volumes is a collection of additional volumes to create for instances within this InstanceGroup
Volumes []VolumeSpec `json:"volumes,omitempty"`
// VolumeMounts a collection of volume mounts
Expand Down Expand Up @@ -223,6 +225,8 @@ type VolumeSpec struct {
Encrypted *bool `json:"encrypted,omitempty"`
// Iops is the provision iops for this iops (think io1 in aws)
Iops *int64 `json:"iops,omitempty"`
// Key is the encryption key identifier for the volume
Key *string `json:"key,omitempty"`
// Size is the size of the volume in GB
Size int64 `json:"size,omitempty"`
// Type is the type of volume to create and is cloud specific
Expand Down
4 changes: 4 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions pkg/apis/kops/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 19 additions & 2 deletions pkg/model/awsmodel/autoscalinggroup.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ const (
DefaultVolumeIops = 100
// DefaultVolumeDeleteOnTermination is the default volume behavior after instance termination
DefaultVolumeDeleteOnTermination = true
// DefaultVolumeEncryption is the default volume encryption behavior
DefaultVolumeEncryption = false
)

// AutoscalingGroupModelBuilder configures AutoscalingGroup objects
Expand Down Expand Up @@ -147,6 +149,11 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.ModelBuilde
if ig.Spec.InstanceInterruptionBehavior != nil {
lt.InstanceInterruptionBehavior = ig.Spec.InstanceInterruptionBehavior
}
if fi.BoolValue(ig.Spec.RootVolumeEncryption) && ig.Spec.RootVolumeEncryptionKey != nil {
lt.RootVolumeKmsKey = ig.Spec.RootVolumeEncryptionKey
} else {
lt.RootVolumeKmsKey = fi.String("")
}
return lt, nil
}

Expand All @@ -171,6 +178,11 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
rootVolumeDeleteOnTermination = fi.BoolValue(ig.Spec.RootVolumeDeleteOnTermination)
}

rootVolumeEncryption := DefaultVolumeEncryption
if ig.Spec.RootVolumeEncryption != nil {
rootVolumeEncryption = fi.BoolValue(ig.Spec.RootVolumeEncryption)
}

// @step: if required we add the override for the security group for this instancegroup
sgLink := b.LinkToSecurityGroup(ig.Spec.Role)
if ig.Spec.SecurityGroupOverride != nil {
Expand Down Expand Up @@ -199,7 +211,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
RootVolumeOptimization: ig.Spec.RootVolumeOptimization,
RootVolumeSize: fi.Int64(int64(volumeSize)),
RootVolumeType: fi.String(volumeType),
RootVolumeEncryption: ig.Spec.RootVolumeEncryption,
RootVolumeEncryption: fi.Bool(rootVolumeEncryption),
SecurityGroups: []*awstasks.SecurityGroup{sgLink},
}

Expand Down Expand Up @@ -261,10 +273,15 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
if x.DeleteOnTermination != nil {
deleteOnTermination = fi.BoolValue(x.DeleteOnTermination)
}
encryption := DefaultVolumeEncryption
if x.Encrypted != nil {
encryption = fi.BoolValue(x.Encrypted)
}
t.BlockDeviceMappings = append(t.BlockDeviceMappings, &awstasks.BlockDeviceMapping{
DeviceName: fi.String(x.Device),
EbsDeleteOnTermination: fi.Bool(deleteOnTermination),
EbsEncrypted: x.Encrypted,
EbsEncrypted: fi.Bool(encryption),
EbsKmsKey: x.Key,
EbsVolumeIops: x.Iops,
EbsVolumeSize: fi.Int64(x.Size),
EbsVolumeType: fi.String(x.Type),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,7 @@ resource "aws_launch_template" "bastion-bastionuserdata-example-com" {
device_name = "/dev/xvda"
ebs {
delete_on_termination = true
encrypted = false
volume_size = 32
volume_type = "gp2"
}
Expand Down Expand Up @@ -476,6 +477,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-bastionuserdata-exampl
device_name = "/dev/xvda"
ebs {
delete_on_termination = true
encrypted = false
volume_size = 64
volume_type = "gp2"
}
Expand Down Expand Up @@ -540,6 +542,7 @@ resource "aws_launch_template" "nodes-bastionuserdata-example-com" {
device_name = "/dev/xvda"
ebs {
delete_on_termination = true
encrypted = false
volume_size = 128
volume_type = "gp2"
}
Expand Down
7 changes: 5 additions & 2 deletions tests/integration/update_cluster/complex/cloudformation.json
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,8 @@
"VolumeType": "gp2",
"VolumeSize": 64,
"DeleteOnTermination": true,
"Encrypted": true
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
},
{
Expand Down Expand Up @@ -387,7 +388,9 @@
"Ebs": {
"VolumeType": "gp2",
"VolumeSize": 20,
"DeleteOnTermination": true
"DeleteOnTermination": true,
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ spec:
deleteOnTermination: false
size: 20
type: gp2
encrypted: true
key: arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab
additionalUserData:
- name: myscript.sh
type: text/x-shellscript
Expand All @@ -124,6 +126,7 @@ spec:
minSize: 1
role: Master
rootVolumeEncryption: true
rootVolumeEncryptionKey: arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab
subnets:
- us-test-1a
additionalUserData:
Expand Down
3 changes: 3 additions & 0 deletions tests/integration/update_cluster/complex/in-v1alpha2.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ spec:
deleteOnTermination: false
size: 20
type: gp2
encrypted: true
key: arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab
additionalUserData:
- name: myscript.sh
type: text/x-shellscript
Expand All @@ -124,6 +126,7 @@ spec:
minSize: 1
role: Master
rootVolumeEncryption: true
rootVolumeEncryptionKey: arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab
subnets:
- us-test-1a
additionalUserData:
Expand Down
3 changes: 3 additions & 0 deletions tests/integration/update_cluster/complex/kubernetes.tf
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-complex-example-com" {
ebs {
delete_on_termination = true
encrypted = true
kms_key_id = "arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab"
volume_size = 64
volume_type = "gp2"
}
Expand Down Expand Up @@ -359,6 +360,8 @@ resource "aws_launch_template" "nodes-complex-example-com" {
device_name = "/dev/xvdd"
ebs {
delete_on_termination = true
encrypted = true
kms_key_id = "arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab"
volume_size = 20
volume_type = "gp2"
}
Expand Down
2 changes: 2 additions & 0 deletions tests/integration/update_cluster/compress/kubernetes.tf
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-compress-example-com"
device_name = "/dev/xvda"
ebs {
delete_on_termination = true
encrypted = false
volume_size = 64
volume_type = "gp2"
}
Expand Down Expand Up @@ -313,6 +314,7 @@ resource "aws_launch_template" "nodes-compress-example-com" {
device_name = "/dev/xvda"
ebs {
delete_on_termination = true
encrypted = false
volume_size = 128
volume_type = "gp2"
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,8 @@
"Ebs": {
"VolumeType": "gp2",
"VolumeSize": 64,
"DeleteOnTermination": true
"DeleteOnTermination": true,
"Encrypted": false
}
},
{
Expand Down Expand Up @@ -316,7 +317,8 @@
"Ebs": {
"VolumeType": "gp2",
"VolumeSize": 128,
"DeleteOnTermination": true
"DeleteOnTermination": true,
"Encrypted": false
}
}
],
Expand Down
Loading