"Unable to read bucket encryption" warnings since kops 1.10 upgrade

[xanonid]

Version: kops 1.10.0, k8s 1.10.9 on AWS

Since an upgrade to kops 1.10 from 1.9, the cluster produces following warnings:

I1025 13:05:51.932713 629 s3context.go:210] Unable to read bucket encryption policy: will encrypt using AES256

These are caused by GetBucketEncryption calls to s3, which are not allowed by the current default masters & nodes IAM policy. By adding allowed s3:GetEncryptionConfiguration for the kops state bucket to the masters and nodes IAM policy, the issue can be solved manually.

The bug seems to be a regression from #5921 or #5194.

[rhyas]

Looks like PR 4235 added the feature to check for base bucket encryption, but it didn't make the policy change to allow this check. This means there are a ton of CloudTrail events for failed calls. s3:GetEntryptionConfiguration needs to be added to the default policy created for masters.

[xanonid]

Thanks @rhyas for your PR #6039.

[rifelpet]

@xanonid is this issue safe to close? It appears to have been resolved.

[xanonid]

@rifelpet I could not yet test it, but it seems ok for me to close the ticket.