Uploaded image for project: 'OpenShift CFE'
  1. OpenShift CFE
  2. CFE-778

[DUP of CORS-1870] Determine and Document the explicit list of required SP permissions for Microsoft Azure

XMLWordPrintable

    • Document the explicit list of required SP permissions for Microsoft Azure
    • Strategic Product Work
    • In Progress
    • OCPSTRAT-250 - Document Cloud Provider Permissions
    • OCPSTRAT-250Document Cloud Provider Permissions
    • Approved

      Goal:

      As an administrator, I would like to know the minimum list of required Service Principal permissions for OpenShift on Microsoft Azure and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also re-scope the SP permissions to a specific Resource Group for the operation (Day 2) of OpenShift.

      Problem:

      Today, Service Principal permissions are broadly scoped to two specific roles:

      • User Access Administrator
      • Contributor

      Since the Resource Group used by OpenShift is installer create in the case of IPI, there's no way to minimally scope these SP permissions to only a Resource Group. Instead, users must scope the SP to the subscription, which is often prohibited in many organizations.

      Customers need a way to minimally scope SP permissions for installation (Day 1) with the ability to re-scope permissions to the OpenShift Resource Group and only what is needed for the operation of the cluster (Day 2).

      Why is this important:

      • Many of our customers have security policies in their organizations that require Service Principals to be minimally scoped to individual Resource Groups as a way to minimize their security footprint. The requirement of needing to use a SP with those permissions scoped to the subscription is a blocking issue for quite a few customers preventing their adoption of OpenShift 4.

      Lifecycle Information:

      • Core

      Previous Work:

      Dependencies:

      • Installer [both UPI & IPI Workflows]
      • Control Plane
        • Kube Cloud Controller
      • Compute [Managed Identity]
      • Cloud API enabled components
        • Cloud Credential Operator
        • Machine API
        • Internal Registry
        • Ingress
      • ?

      Prioritized epics + deliverables (in scope / not in scope):

      • Document explicit list of required Service Principal permissions for installing (Day 1) OpenShift on Azure using the IPI and UPI deployment workflows and what each of the permissions are used for
      • Document explicit list of required Service Principal permissions for the operation (Day 2) of an OpenShift cluster on Azure (including details on how the SP an be minimally scoped to the OpenShift resource group) and what each of those permissions are used for
      • Verify minimum list of permissions for:
        • Installing on Azure with UPI workflow
        • Installing on Azure with IPI workflow
        • (Day 2) operation of OpenShift cluster on Azure

      Related:

      Estimate (XS, S, M, L, XL, XXL):

      Customers: All customers deploying OpenShift 4 to Microsoft Azure

      Open Questions:

              rh-ee-ckyal Chirag Kyal
              mak.redhat.com Marcos Entenza Garcia
              Jinyun Ma Jinyun Ma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: