Closed Yuggupta27 closed 3 years ago
@nixpanic do we need to allow this operation from a security point of view? if the parent PVC or snapshot kmsid
is not matching with the request PVC we can fail fast?
@nixpanic do we need to allow this operation from a security point of view? if the parent PVC or snapshot
kmsid
is not matching with the request PVC we can fail fast?
When cloning a volume encrypted with one KMS-configuration, the encryption-passphrase is decrypted and stored according to the destination KMS-configuration. This is expected to work, and allows for migration in case a KMS-service needs replacing.
Closing this one. Thanks, @nixpanic . Thanks @Yuggupta27 for testing it
Testing performed:
[TEST 1]: Creation of encrypted clone from an SC that has different KMSID from the SC used by the parent
Result: The cloned PVC is also encrypted.
[TEST 2]: Creation of encrypted clone using same sc as the parent, but sc is recreated with different KMSID before clone creation
Result: The cloned PVC is also encrypted.
Note: 'test-vault-test' uses the same configuration as 'vault-test' in the 'ceph-csi-encryption-kms-config' configmap.
Question: Are the above-mentioned behavior expected?