Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-108

Define and implement explicit cloud permission model on AWS

XMLWordPrintable

    • Define and implement explicit cloud permission model on AWS
    • False
    • False
    • To Do
    • Impediment
    • 0% To Do, 0% In Progress, 100% Done
    • Undefined
    • 0
    • 0
    • 0

      Use STS for Hosted Control Plane Authentication

      Problem

      We must define and codify the AWS policy requirements so users know what permissions they're granting HyperShift to provide managed clusters.

      Currently we don't explicitly define the AWS IAM policy or policies necessary for HyperShift to work. With a codified definition of the requirements, we can more easily get user feedback about whether the policies are acceptable.

      This issue tracks effort to introduce a more clearly and narrowly scoped cloud permissions model for AWS.

      Cloud provider credentials are currently used in the following contexts:

      • Kube Controller Manager (KCM) deployment
      • Kube API server deployment
      • Kube CSI driver cloud credentials
      • CAPI AWS provider

      Only the Kube Controller Manager and CAPI provider really need cloud credentials, so the CSI and API server usages should simply be removed.

      The KCM and CAPI components have separate responsibilities and different permission needs. Each of these components should use distinct AWS IAM policies that we define and support so that users have more control over the exposed surface area of accounts attached to those policies.

      User story

      As an end-user I would like to understand the scope and permissions I am granting for cluster creation. 

       

      Steps

      Based on prior discussions, a viable approach has two main parts:

      1. Update the HostedCluster API to replace the single ProviderCreds field with a new struct that embeds two credentials fields for the two known contexts (KCM and CAPI provider).
      2. Update the CLI to produce canonical AWS policy resources and make creating default accounts using those policies easy for tests and development.

       

      References

      Github Issue

          There are no Sub-Tasks for this issue.

              sjenning Seth Jennings
              azaalouk Adel Zaalouk
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: