ROSA / OSD : Custom KMS key not propagated to default storage class
A Red Hat OpenShift Service on AWS (ROSA) or OpenShift Dedicated (on AWS) cluster configured (at install time) to use a customer managed AWS KMS key for encryption may not use the customer supplied AWS KMS key to encrypt persistent volumes for the cluster. The specified AWS KMS key is only used to encrypt the root filesystem for cluster nodes.
Persistent volumes are still encrypted, but uses the default AWS managed KMS key for the region the cluster is in, rather than the specified customer managed KMS key.
This issue impacts Red Hat OpenShift Service on AWS (ROSA) or OpenShift Dedicated (on AWS) clusters deployed before 20 April 2022 that were configured to use a customer managed AWS KMS key. Clusters created after this date should not be affected.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.