Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-282

Azure OpenShift role granularity for Azure managed identity


    • ARO Role granularity
    • False
    • None
    • False
    • Green
    • To Do
    • OCPSTRAT-506 - ARO Managed Identity
    • OCPSTRAT-506ARO Managed Identity
    • 0% To Do, 0% In Progress, 100% Done
    • Approved

      Epic Goal

      • Build list of specific permissions to run Openshift on Azure - Components grant roles, but we need more granularity.
      • Determine and document the Azure roles and required permissions for Azure managed identity.

      Why is this important?

      • Many of our customers have security policies in their organization that restrict credentials to only minimal permissions that conflict with the documented list of permissions needed for OpenShift. Customers need to know the explicit list of permissions minimally needed for deploying and running OpenShift and what they're used for so they can request the right permissions. Without this information, it can/will block adoption of OpenShift 4 in many cases.


      1. ...

      Acceptance Criteria

      • Document explicit list of required credential permissions for installing (Day 1) OpenShift on Azure using the IPI and UPI deployment workflows and what each of the permissions are used for.
      • Document explicit list of required role and credential permissions for the operation (Day 2) of an OpenShift cluster on Azure and what each of the permissions are used for
      • Verify minimum list of permissions for Azure with IPI and UPI installation workflows
      • (Day 2) operations of OpenShift on Azure - MUST complete successfully with automated tests
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. Installer [both UPI & IPI Workflows]
      2. Control Plane
        • Kube Controller Manager
      3. Compute [Managed Identity]
      4. Cloud API enabled components
        • Cloud Credential Operator
        • Machine API
        • Internal Registry
        • Ingress
      5. ?

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>



            abutcher@redhat.com Andrew Butcher
            mworthin@redhat.com Mike Worthington
            Mingxia Huang Mingxia Huang
            0 Vote for this issue
            9 Start watching this issue