Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-432

Lifecycle Hosted Clusters in HyperShift via Managed Identities

    XMLWordPrintable

Details

    • Managed Identities for Azure in HyperShift
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-979 - Integrate Azure Workload Identities and Managed Service Identity (MSI) for Operators (control plane/data plane)
    • OCPSTRAT-979Integrate Azure Workload Identities and Managed Service Identity (MSI) for Operators (control plane/data plane)
    • 16
    • 16% 16%
    • 0
    • 0
    • 0

    Description

      Problem

      Today Azure installation requires manually created service principal which involves relations, permission granting, credential setting, credential storage, credentials rotation, credentials clean up, and service principal deletion. This is not only mundane and time-consuming but also less secure and risks access to resources by adversaries due to lack of credential rotation. 

      Goal

      Employ Azure managed credentials which drastically reduce the steps required to just managed identity creation, permission granting, and resource deletion. 

      Ideally, this should be a HyperShift-native functionality. I.e., HyperShift should use managed identities for the control plane, the kubelet, and any add-on that needs access to Azure resources.  

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1696 Azure Disk CSI on Hosted control planes GA

          • Critical - To be worked on immediately following BLOCKER issues.
          • Testing

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1697 Azure File CSI on Hosted control planes GA

          • Critical - To be worked on immediately following BLOCKER issues.
          • Testing

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1279 Initial work for Azure Disk on Hosted control planes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1280 Initial work for Hosted control plane support for Azure File CSI

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-506 ARO Managed Identity

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-909 ARO Managed Identity Phase II

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rh-ee-brcox Bryan Cox
              azaalouk Adel Zaalouk
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: