Closed elankath closed 1 year ago
@elankath You need rebase this pull request with latest master branch. Please check.
Also covered in doc at: CMEK Testing
brew install gcloud
gcloud auth login
gcloud kms keyrings create cmektest --location=us-east4
. (This requires IAM privileges to be assigned to you)gcloud kms keys create alpha --keyring=cmektest --location=us-east4 --purpose encryption
gcloud kms keys list --keyring=cmektest --location=us-east4
NAME PURPOSE
projects/projectId/locations/us-east4/keyRings/cmektest/cryptoKeys/alpha ENCRYPT_DECRYPT
gcloud projects add-iam-policy-binding projectId --member serviceAccount:user@projectId.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter
gcloud kms keys add-iam-policy-binding alpha --location us-east4 --keyring cmektest --member serviceAccount:user@projectId.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter
machine-controller-manager
and machine-controller-manager-provider-gcp
in peer directories under $GOPATH/src/github.com/gardener
.cd $GOPATH/src/github.com/gardener/machine-controller-manager
make download-kubeconfigs
make start 2>&1 | tee /tmp/mcm.log
cd $GOPATH/src/github.com/gardener/machine-controller-manager-provider-gcp
make start 2>&1 | tee /tmp/mcm-gcp.log
MachineClass
yaml
k edit mcc
providerSpec.disks
as follows: adding kmsKeyName
and kmsKeyServiceAccount
as illustrated below (example below makes boot disk CMEK encrypted):
- autoDelete: true
boot: true
encryption:
kmsKeyName: projects/projectId/locations/us-east4/keyRings/cmektest/cryptoKeys/alpha
kmsKeyServiceAccount: user@projectId.iam.gserviceaccount.com
Please note that you can omit kmsKeyServiceAccount
. This will then default to the Compute Engine Service Agent Account. See https://cloud.google.com/iam/docs/service-agents#compute-engine-service-agent
Machine
Running
machine:
k get machine
shoot--userid--shootName-worker-alpha-z1-9485d-xprld
force-deletion
label to the machine. (So restart is faster)
k label mc shoot--userid--shootName-worker-alpha-z1-9485d-xprld force-deletion=true
k delete mc shoot--userid--shootName-worker-alpha-z1-9485d-xprld
Running
k get machine
NAME STATUS AGE
shoot--userid--shootName-worker-alpha-z1-9485d-96fkl Running 67m
gcloud compute disks list | grep 96fkl
shoot--userid---shootName-worker-alpha-z1-9485d-96fkl us-east4-c zone 50 pd-balanced READY
gcloud compute disks describe shoot--shootName-worker-alpha-z1-9485d-96fkl --zone us-east4-c worker-alpha-z1-9485d-96fkl --zone us-east4-c
creationTimestamp: '2023-05-25T00:46:41.136-07:00'
diskEncryptionKey:
kmsKeyName: projects/projectId/locations/us-east4/keyRings/cmektest/cryptoKeys/alpha/cryptoKeyVersions/2
kmsKeyServiceAccount: user@projectId.iam.gserviceaccount.com
id: '843731016874110129'
Review comments from meeting:
kmsKeyServiceAccount
that defaults to compute engine service agent account. (Google's docstring for API key kmsKeyServiceAccount
is WRONG here)GCPDiskEncryption
struct.A suggestion, shall we move the How to test manually from the https://github.com/gardener/machine-controller-manager-provider-gcp/pull/84#issuecomment-1562553340 to the docs instead as I believe this will be handy later as well. wdyt?
/hold because of https://github.com/gardener/machine-controller-manager-provider-gcp/pull/84#issuecomment-1562859544
Yes, will be moving this inside the docs
and updating with tests, refactoring.
What this PR does / why we need it: Changes required to support CMEK Encrypted disks in GCP.
Which issue(s) this PR fixes: Fixes #78
Special notes for your reviewer: tests in progress. Release note: