Merge pull request #286284 from johnmarco/jm-aro-cmk-update

prmerger-automator[bot] · web-flow · commit 03abede16dc4 · 2024-09-09T21:03:57.000Z
ARO: CMK update
diff --git a/articles/openshift/howto-byok.md b/articles/openshift/howto-byok.md
@@ -6,7 +6,7 @@ ms.author: johnmarc
 ms.service: azure-redhat-openshift
 keywords: encryption, byok, deploy, openshift, red hat, key
 ms.topic: how-to
-ms.date: 05/05/2023
+ms.date: 09/06/2024
 ms.custom: template-how-to, devx-track-azurecli
 ms.devlang: azurecli
 ---
@@ -104,6 +104,11 @@ az keyvault set-policy -n $KEYVAULT_NAME \
 
 ## Create an Azure Red Hat OpenShift cluster
 Create an Azure Red Hat OpenShift cluster to use the customer-managed keys.
+
+> [!NOTE]
+> Enabling CMK on *existing* ARO clusters is only possible for worker nodes, not master nodes. You can achieve this using machine-API through machineset CRs. See [Enabling customer-managed encryption keys for a machine set](https://docs.openshift.com/container-platform/4.12/machine_management/creating_machinesets/creating-machineset-azure.html#machineset-enabling-customer-managed-encryption-azure_creating-machineset-azure) and [Modifying a compute machine set](https://docs.openshift.com/container-platform/4.12/machine_management/modifying-machineset.html) for more information.
+> 
+
 ```azurecli-interactive
 az aro create --resource-group $RESOURCEGROUP \
               --name $CLUSTER  \
