/kind feature
Describe the solution you'd like
Add support for specifying a DiskEncryptionSetID when creating AKS (managed) clusters via Cluster API Provider Azure (CAPZ), enabling Encryption At Rest using Customer Managed Keys on AKS node pools.
Azure supports encrypting AKS OS disks with customer-managed keys via a DiskEncryptionSet resource (equivalent to az aks create --node-osdisk-diskencryptionset-id). The ASO ManagedCluster resource already exposes a DiskEncryptionSetReference field, but CAPZ does not currently expose or populate it.
The proposed change adds a new optional, immutable field DiskEncryptionSetID to AzureManagedControlPlaneClassSpec, which accepts the full ARM resource ID of a DiskEncryptionSet.
Anything else you would like to add:
Example usage in the AzureManagedControlPlane spec:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureManagedControlPlane
metadata:
name: my-aks-cluster
spec:
diskEncryptionSetID: "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}"
# ... other fields
- This field is immutable per Azure's restriction: "Encryption of an OS disk with customer-managed keys can only be enabled when creating an AKS cluster."
- CAPZ already supports DiskEncryptionSet for self-managed (IaaS) clusters via OSDisk.ManagedDisk.DiskEncryptionSet on AzureMachine and AzureMachinePool. This feature request is specifically for AKS managed clusters.
Environment:
- cluster-api-provider-azure version:
- Kubernetes version: (use
kubectl version):
- OS (e.g. from
/etc/os-release):
/kind feature
Describe the solution you'd like
Add support for specifying a DiskEncryptionSetID when creating AKS (managed) clusters via Cluster API Provider Azure (CAPZ), enabling Encryption At Rest using Customer Managed Keys on AKS node pools.
Azure supports encrypting AKS OS disks with customer-managed keys via a DiskEncryptionSet resource (equivalent to az aks create --node-osdisk-diskencryptionset-id). The ASO ManagedCluster resource already exposes a DiskEncryptionSetReference field, but CAPZ does not currently expose or populate it.
The proposed change adds a new optional, immutable field DiskEncryptionSetID to AzureManagedControlPlaneClassSpec, which accepts the full ARM resource ID of a DiskEncryptionSet.
Anything else you would like to add:
Example usage in the AzureManagedControlPlane spec:
Environment:
kubectl version):/etc/os-release):