search

coreos / coreos-kubernetes

CoreOS Container Linux+Kubernetes documentation & Vagrant installers
https://coreos.com/kubernetes/docs/latest/
Apache License 2.0
1.1k stars 466 forks source link

kube-aws: no kms service in China region #672

Open harold-sun opened 8 years ago

harold-sun commented 8 years ago

The kms servcie is not available in AWS China region. Can I skip the KMS key creation step?

rochacon commented 8 years ago

KMS is used to encrypt/decrypt all TLS assets so they can go into the userdata securely, I would not recommend you to remove this.

As a workaround, you may set an KMS key in another region and replace {{.Region}} [1][2] with the region name where the KMS key was created.

[1] https://github.com/coreos/coreos-kubernetes/blob/7075232e47cc4475bb4f0370c5ccd8c5e36f793e/multi-node/aws/pkg/config/templates/cloud-config-controller#L179 [2] https://github.com/coreos/coreos-kubernetes/blob/7075232e47cc4475bb4f0370c5ccd8c5e36f793e/multi-node/aws/pkg/config/templates/cloud-config-worker#L111

harold-sun commented 8 years ago

Thanks for the workaround. I will try it today. I need to verify if it is possible to call KMS in another region from China, since the accounts are also separated.

harold-sun commented 8 years ago

This does work if I provide AWS credentials for another region where KMS key was created. This means I have to live with embed AWS credential in userdata if there is no better solutions.