From 2d397b59d9f020aaf4283c0bd119ada93f90ece9 Mon Sep 17 00:00:00 2001 From: Abhinav Dahiya Date: Thu, 12 Mar 2020 16:52:18 -0700 Subject: [PATCH 1/2] support KMS key for EBS encryption For encyrpted EBS volumes allow users to provide ARN to the KMS keys to use. It uses the ID > ARN preference order similar to other functions - Why only ID and ARN? the KMS keys don't really support filtering the KMS keys based on tags. [1] & [2] [1]: https://docs.aws.amazon.com/cli/latest/reference/kms/index.html#cli-aws-kms [2]: https://docs.aws.amazon.com/cli/latest/reference/kms/describe-key.html --- pkg/actuators/machine/instances.go | 7 +++++++ .../v1beta1/awsmachineproviderconfig_types.go | 3 +++ .../awsproviderconfig/v1beta1/zz_generated.deepcopy.go | 1 + 3 files changed, 11 insertions(+) diff --git a/pkg/actuators/machine/instances.go b/pkg/actuators/machine/instances.go index ec6fb30c24..2d283b8948 100644 --- a/pkg/actuators/machine/instances.go +++ b/pkg/actuators/machine/instances.go @@ -212,6 +212,13 @@ func getBlockDeviceMappings(blockDeviceMappings []providerconfigv1.BlockDeviceMa Encrypted: blockDeviceMappings[0].EBS.Encrypted, }, } + + if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ID) != "" { + blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ID + } else if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ARN) != "" { + blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ARN + } + if *volumeType == "io1" { blockDeviceMapping.Ebs.Iops = blockDeviceMappings[0].EBS.Iops } diff --git a/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go b/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go index ecdd389e5f..df9dd78e34 100644 --- a/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go +++ b/pkg/apis/awsproviderconfig/v1beta1/awsmachineproviderconfig_types.go @@ -180,6 +180,9 @@ type EBSBlockDeviceSpec struct { // may only be attached to machines that support Amazon EBS encryption. Encrypted *bool `json:"encrypted,omitempty"` + // Indicates the KMS key that should be used to encrypt the Amazon EBS volume. + KMSKey AWSResourceReference `json:"kmsKey,omitempty"` + // The number of I/O operations per second (IOPS) that the volume supports. // For io1, this represents the number of IOPS that are provisioned for the // volume. For gp2, this represents the baseline performance of the volume and diff --git a/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go b/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go index e5a6736aa3..2b5fce103b 100644 --- a/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/awsproviderconfig/v1beta1/zz_generated.deepcopy.go @@ -272,6 +272,7 @@ func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = new(bool) **out = **in } + in.KMSKey.DeepCopyInto(&out.KMSKey) if in.Iops != nil { in, out := &in.Iops, &out.Iops *out = new(int64) From 09f91d938bede68258eacfbdc1f12b650057497e Mon Sep 17 00:00:00 2001 From: Abhinav Dahiya Date: Mon, 16 Mar 2020 09:15:32 -0700 Subject: [PATCH 2/2] actuators/machine/instances.go: add logging for KMS key reference - When using the ARN for KMS key, the log output doesn't include the ARN value as it contains the AWS account ID which is usually sensitive. - This current setup doesn't have a great way to tie EBS volume to the machine object, and therefore this log will be difficult to tie back to the machine object. which reduces the value to some degree. --- pkg/actuators/machine/instances.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/actuators/machine/instances.go b/pkg/actuators/machine/instances.go index 2d283b8948..12d3849aef 100644 --- a/pkg/actuators/machine/instances.go +++ b/pkg/actuators/machine/instances.go @@ -214,8 +214,10 @@ func getBlockDeviceMappings(blockDeviceMappings []providerconfigv1.BlockDeviceMa } if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ID) != "" { + klog.V(3).Infof("Using KMS key ID %q for encrypting EBS volume", *blockDeviceMappings[0].EBS.KMSKey.ID) blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ID } else if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ARN) != "" { + klog.V(3).Info("Using KMS key ARN for encrypting EBS volume") // ARN usually have account ids, therefore are sensitive data so shouldn't log the value blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ARN }