Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-171

CloudCredentialOperator-based flow for OLM-managed operators and AWS STS


    • False
    • False
    • OCPSTRAT-6Tokenized Auth Enablement for OLM-managed Operators on Cloud Providers
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • 0
    • Program Call

      Feature Overview  

      Much like core OpenShift operators, a standardized flow exists for OLM-managed operators to interact with the cluster in a specific way to leverage AWS STS authorization when using AWS APIs as opposed to insecure static, long-lived credentials. OLM-managed operators can implement integration with the CloudCredentialOperator in well-defined way to support this flow.


      Enable customers to easily leverage OpenShift's capabilities around AWS STS with layered products, for increased security posture. Enable OLM-managed operators to implement support for this in well-defined pattern.


      • CCO gets a new mode in which it can reconcile STS credential request for OLM-managed operators
      • A standardized flow is leveraged to guide users in discovering and preparing their AWS IAM policies and roles with permissions that are required for OLM-managed operators 
      • A standardized flow is defined in which users can configure OLM-managed operators to leverage AWS STS
      • An example operator is used to demonstrate the end2end functionality
      • Clear instructions and documentation for operator development teams to implement the required interaction with the CloudCredentialOperator to support this flow

      Use Cases:

      See Operators & STS slide deck.


      Out of Scope:

      • handling OLM-managed operator updates in which AWS IAM permission requirements might change from one version to another (which requires user awareness and intervention)



      The CloudCredentialsOperator already provides a powerful API for OpenShift's cluster core operator to request credentials and acquire them via short-lived tokens. This capability should be expanded to OLM-managed operators, specifically to Red Hat layered products that interact with AWS APIs. The process today is cumbersome to none-existent based on the operator in question and seen as an adoption blocker of OpenShift on AWS.


      Customer Considerations

      This is particularly important for ROSA customers. Customers are expected to be asked to pre-create the required IAM roles outside of OpenShift, which is deemed acceptable.

      Documentation Considerations

      • Internal documentation needs to exists to guide Red Hat operator developer teams on the requirements and proposed implementation of integration with CCO and the proposed flow
      • External documentation needs to exist to guide users on:
        • how to become aware that the cluster is in STS mode
        • how to become aware of operators that support STS and the proposed CCO flow
        • how to become aware of the IAM permissions requirements of these operators
        • how to configure an operator in the proposed flow to interact with CCO

      Interoperability Considerations

      • this needs to work with ROSA
      • this needs to work with self-managed OCP on AWS

            DanielMesser Daniel Messer
            DanielMesser Daniel Messer
            Andrew Butcher, Brett Tofel, James Harrington, Lance Galletti
            Jianping Shu Jianping Shu
            Matthew Werner Matthew Werner
            Daniel Messer Daniel Messer
            Dave Mulford Dave Mulford
            0 Vote for this issue
            9 Start watching this issue