Goal:

As an administrator, I would like to know the minimum list of required Service Principal permissions for OpenShift on Microsoft Azure and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also re-scope the SP permissions to a specific Resource Group for the operation (Day 2) of OpenShift.

Problem:

Today, Service Principal permissions are broadly scoped to two specific roles:

• User Access Administrator
• Contributor

Since the Resource Group used by OpenShift is installer create in the case of IPI, there's no way to minimally scope these SP permissions to only a Resource Group. Instead, users must scope the SP to the subscription, which is often prohibited in many organizations.

Customers need a way to minimally scope SP permissions for installation (Day 1) with the ability to re-scope permissions to the OpenShift Resource Group and only what is needed for the operation of the cluster (Day 2).

Why is this important:

• Many of our customers have security policies in their organizations that require Service Principals to be minimally scoped to individual Resource Groups as a way to minimize their security footprint. The requirement of needing to use a SP with those permissions scoped to the subscription is a blocking issue for quite a few customers preventing their adoption of OpenShift 4.

Lifecycle Information:

• Core

Previous Work:

• OpenShift Product Documentation: https://docs.openshift.com/container-platform/4.5/installing/installing_azure/installing-azure-account.html
• Component credential request manifests

Dependencies:

• Installer [both UPI & IPI Workflows]
• Control Plane
  • Kube Cloud Controller
• Compute [Managed Identity]
• Cloud API enabled components
  • Cloud Credential Operator
  • Machine API
  • Internal Registry
  • Ingress
• ?

Prioritized epics + deliverables (in scope / not in scope):

• Document explicit list of required Service Principal permissions for installing (Day 1) OpenShift on Azure using the IPI and UPI deployment workflows and what each of the permissions are used for
• Document explicit list of required Service Principal permissions for the operation (Day 2) of an OpenShift cluster on Azure (including details on how the SP an be minimally scoped to the OpenShift resource group) and what each of those permissions are used for
• Verify minimum list of permissions for:
  • Installing on Azure with UPI workflow
  • Installing on Azure with IPI workflow
  • (Day 2) operation of OpenShift cluster on Azure

Related:

Estimate (XS, S, M, L, XL, XXL):

Customers: All customers deploying OpenShift 4 to Microsoft Azure

Open Questions: