Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-697

Configurable additional allowed principals for HCP VPC Endpoint Service

    XMLWordPrintable

Details

    • SREP Team Rocket 230
    • 0
    • 0
    • 0

    Description

      Hosted control planes have their API server fronted by a VPCE Service - this VPCE service is created with a single allowed principal of the hosted cluster's kube-system-control-plane-operator IAM role:

      arn:aws:iam::${AWS_ACC}:role/${CLUSTER}-kube-system-control-plane-operator

      However, for managed HyperShift, we have the need to add one more allowed principal per environment (i.e. one more IAM role for staging, a different one for production) https://docs.google.com/document/d/1e-3pphlJ6JvfA8pb-Niw6bgCMPxpyvUn6wkeK8oAsRU/edit# .

      Open for discussion on how to could be implemented, but in essence,

      Done Criteria:

      • Hosted Control Plane VPCE Services are able to have one additional allowed principal.
        • Ideally this ARN is configurable and not hard-coded, however the likelihood if it changing is very low

      Attachments

        Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. HIVE-2063 Allow additional "allowed principals" to be reconciled to PrivateLink VPCE Services

          • Undefined - Priority not specified.
          • Closed
          links to

          GitHub openshift/hypershift#2021: Add support for additional allowed principals for AWS hosted cluster VPC Endpoint Services

          Activity

            People

              mshen.openshift Michael Shen
              mshen.openshift Michael Shen
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: