Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45995

Azure CAPI: Always set cross_tenant_replication_enabled parameter to False

XMLWordPrintable

    • None
    • Installer (PB) Sprint 263, Installer (PB) Sprint 265
    • 2
    • False
    • Hide

      None

      Show
      None
    • Hide
      Prior to the fix the installer was not compliant with PCI-DSS/BAFIN regulations. This fix force disables the cross tenant replication in Azure. Disabling cross-tenant object replication reduces the chance of unauthorized data access and ensures strict adherence to data governance policies.
      Show
      Prior to the fix the installer was not compliant with PCI-DSS/BAFIN regulations. This fix force disables the cross tenant replication in Azure. Disabling cross-tenant object replication reduces the chance of unauthorized data access and ensures strict adherence to data governance policies.
    • Bug Fix
    • In Progress

      Description of problem:

      Improving the OpenShift installer for Azure Deployments to comply PCI-DSS/BAFIN regluations.

The OpenShift installer utilizes thegithub.com/hashicorp/terraform-provider-azurermmodule which in versions < 4 have the cross_tenant_replication_enabled parameter set to true. Two options available to fix this are:
1. adjust the OpenShift installer to create the resourceStorageAccount [1] as requested with the default set to FALSE
2. upgrade the OpenShift installer module version used of terraform-provider-azurerm to 4.x were this parameter now defaults to FALSE [1] https://github.com/hashicorp/terraform-provider-azurerm/blob/57cd1c81d557a49e18b2f49651a4c741b465937b/internal/services/storage/storage_account_resource.go#L212

This security voilation blocks using and scaling Clusters in Public cloud environments for the Banking and Financial industry which need to comply to BAFIN and PCI-DSS regulations.4. List any affected packages or components.OpenShift Installer 4.xCompliance Policy Azure https://learn.microsoft.com/en-us/azure/storage/common/security-controls-policy.

       

       

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

      Expected results:

      Additional info:

              rh-ee-bbarbach Brent Barbachem
              sdasu@redhat.com Sandhya Dasu
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: