Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1602

Document deploying OpenShift to a user-created, empty Resource Group on Azure

XMLWordPrintable

    • Document deploying OpenShift to a user-created, empty Resource Group on Azure
    • BU Product Work
    • Done
    • OCPSTRAT-308 - Azure Security Enhancements
    • OCPSTRAT-308Azure Security Enhancements
    • 0% To Do, 0% In Progress, 100% Done

      Goal:

      As an administrator, I would like to deploy an OpenShift 4 cluster to an empty Resource Group that I created so I can scope the SP to just that resource group (and not the entire subscription.) Optionally, I should also be able to provide my own Managed Identity for OpenShift VM instances to use. 

      Problem:

      Using the ipi workflow, openshift-install doesn't allow an empty Resource Group to be provided instead the installer creates it's own Resources Group whenever deploying a new OpenShift cluster. Unfortunately, there's no way of knowing the name of RG in advance or scoping the provided Service Principal to just the installer-created RG and not the subscription.

      Why is this important:

      In many customers using Azure there is a process around the management and creation of resource groups. This process is often managed by a dedicated cloud team which is separate and independent from the team which is installing and managing OpenShift. The cloud team has specific requirements around the creation of resource groups and does not delegate this capability to other teams.

      The resource group in Azure is often considered the working level for teams to deploy applications, infrastructure, etc and other then the cloud team have no access to anything above the resource level (i.e. subscriptions, etc). Tightly managing resource groups enables the cloud team to effectively manage utilization, costs, etc created by application teams within those resource groups.

      Enabling OpenShift to be installed in an existing resource group would enable us to work within and support this process. The cloud team can create the resource group, tag it and manage it as they see fit while the OpenShift installer is wholly responsible for anything in the resource group itself.

      Lifecycle Information:

      • Core

      Previous Work:**

      Dependencies:

      Prioritized epics + deliverables (in scope / not in scope):

      • Document the requirements for creating an empty RG + Managed Identity including SP permissions necessary for an OpenShift deployment
      • Integrate into OpenShift CI

      Estimate (XS, S, M, L, XL, XXL):

      Customers:

      Open Questions:

              etiennesimard Etienne Simard (Inactive)
              mak.redhat.com Marcos Entenza Garcia
              Mike Gahagan Mike Gahagan
              Votes:
              5 Vote for this issue
              Watchers:
              20 Start watching this issue

                Created:
                Updated:
                Resolved: