Mysterious Unencrypted EBS Volume

[nickumia-reisys]

EKS Brokerpak v2.3.2+

How to reproduce

1. Bring up an EKS Cluster

Expected behavior

All Volumes are encrypted.

Actual behavior

New volumes using our custom ebs-sc (ebs storage class) are encrypted. (This was verified in https://github.com/GSA/datagov-deploy/issues/3683) However, during startup there is a volume that mysteriously gets created and is not encrypted.

Sketch

• [x] Determine what's creating the volume
• [ ] Update the thing creating the volume to ensure it specifies the encrypted volumes should be used.
  • There's a way to specify attributes for the EC2 nodes that get used in our Managed Node Groups in AWS' Terraform EKS module, which we're using. We need to do that! Start here.

[mogul]

I'm pretty sure that the EBS volume we're seeing here is the volume attached to the managed-node group EC2 instance. We are not setting any parameters that we could be to ensure MNGs use encrypted volumes by default. In other words this is unrelated to the PVC/CSI work we did recently.