Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10741

[IBMCloud] ccoctl configures CIS and DNS access for ingress CredentialsRequests regardless of cluster type

XMLWordPrintable

    • Important
    • No
    • 1
    • OSDOCS Sprint 240
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      IBM Cloud only support Manual credentials mode, requiring the use of ccoctl to generate the necessary cluster Secrets for components to interact with IBM Cloud services using CredentialsRequests. However, the requirement of CIS access policies is restricted to Public clusters, while the DNS Services access policies is restricted to Private clusters. Both aren't needed from an in-cluster design. But, in order for ccoctl to succeed in generating the Secrets, the user must have both IAM policies setup, which the documentation says only one is required
https://docs.openshift.com/container-platform/4.12/installing/installing_ibm_cloud_public/installing-ibm-cloud-account.html#required-access-policies-ibm-cloud_installing-ibm-cloud-account

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      100%

      Steps to Reproduce:

      1. Follow documentation on setting up IBM Cloud Account, only configuring access for CIS or DNS, not both
2. Run ccoctl ibmcloud create-service-id ... using the IBM Cloud Account

      Actual results:

      If attempting a Public cluster (CIS), failure to configure DNS Services occurs, if the account was not setup for both CIS and DNS, and vice-versa.
```
Error: Failed to process the serviceID: Failed to create access policy with: {Attributes:[{Name:serviceName Value:dns-svcs Operator:}] Roles:[crn:v1:bluemix:public:iam::::serviceRole:Manager crn:v1:bluemix:public:iam::::serviceRole:Reader crn:v1:bluemix:public:iam::::serviceRole:Writer]}: Failed to create policy: You are not allowed to create the requested policy.
```

      Expected results:

      Successful ccoctl ibmcloud create-service-id ... following documentation of
https://docs.openshift.com/container-platform/4.12/installing/installing_ibm_cloud_public/installing-ibm-cloud-account.html#required-access-policies-ibm-cloud_installing-ibm-cloud-account

      Additional info:

      Likely adding logic to ccoctl to manage the requirements for Public vs. Private clusters is unlikely. I wonder if this is something that could however be covered by the CCO inside the cluster, knowing the type of cluster deployed (Public vs. Private). That does require another mode to be supported (rather than just Manual mode) for IBM Cloud.

Otherwise, I think documentation updates that both CIS and DNS access is required regardless of cluster type should be okay in the short term, although it may be confusing to the user.

              rhn-support-mpytlak Mike Pytlak (Inactive)
              cschaefe@redhat.com Christopher Schaefer
              May Xu May Xu
              Mike Pytlak Mike Pytlak (Inactive)
              Jeff Nowicki
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: