kops: KOPS wants to change encrypted volume on etcd on running cluster (but does nothing but complain everytime)

1. What kops version are you running? The command kops version, will display this information. kops 1.18.3

2. What Kubernetes version are you running? kubectl version will print the version if a cluster is running or provide the Kubernetes version specified as a kops flag. 1.18.15

3. What cloud provider are you using? aws

4. What commands did you run? What is the simplest way to reproduce this issue? set cluster with etcd encrypted volume NOT defined.

When I do kops update cluster (after changing minsize to 3) it says:

Will modify resources:
  AutoscalingGroup/nodes.k8s.ops.example.com
        MinSize                  2 -> 3

  EBSVolume/a.etcd-events.k8s.ops.example.com
        Encrypted                true -> false

  EBSVolume/a.etcd-main.k8s.ops.example.com
        Encrypted                true -> false

If I run kops update cluster - without having changed anything - it shows the above 2 changes - but it never changes them - and I tried setting encryptedVolume: true - in config (as it appearently IS encrypted) - but thats now allowed.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 23 (11 by maintainers)

Most upvoted comments

Just tried creating a cluster with version 1.20.1 and still receiving the same validation error.

+2
JEFFA0101 on Jun 10, 2021

At the moment, AWS ignores Encrypted parameter in ec2.CreateVolumeInput when default encryption is enabled. So cluster config does not match, even if we specify encryptedVolume: false in cluster spec. Of course, kops creates volumes with encryptedVolume: false when we don’t specify encryptedVolume in cluster spec, but the result does not change.

So I removed the validation, maybe you can edit your cluster using kops edit to change encryptedVolume.

+2
h3poteto on Apr 15, 2021

Maybe kops should change where it performs this immutable validation, rather than at the API layer it could ensure the encryption setting isnt changing closer to where it would otherwise call ec2.ModifyVolume.

This would mean the error would only happen if the setting would actually be changed on a volume, during kops update cluster --yes rather than during kops edit cluster or kops replace

+2
rifelpet on Mar 17, 2021

@KlavsKlavsen I think 1.20.1 got released with the validation removal.

+1
hakman on May 25, 2021
Read more comments on GitHub
← kops: `kops validate cluster` always fails with "machine ... has not yet joined cluster for k8s 1.10.x, 1.11.0
kops: kube-dns and kubernetes-dashboard crashing after deploying k8s dashboard on ver 1.8.0-beta.1 →