Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2932

OpenShift on vSphere with a dedicated user (best practices)

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None

      Feature Overview

      To enhance the security posture of OpenShift Container Platform (OCP) on VMware vSphere, this feature mandates a transition from using global administrative accounts to dedicated, least-privileged accounts for installation and Day-2 operations. This initiative ensures that Red Hat’s official documentation reflects security best practices and that the Quality Engineering (QE) team validates these configurations across all supported OpenShift versions to guarantee installation success without over-privileged credentials.

      Goals

      • Enforce Security Best Practices: Update the vSphere installation documentation to strongly recommend a dedicated account with specific roles rather than a global administrator for installation and Day-2 operations.
      • Validated Documentation: Every privilege listed in the official documentation must be verified by QE to be sufficient for a successful OpenShift on vSphere deployment.
      • Primary Persona: Cloud Architect, Security Administrator, and Site Reliability Engineer (SRE).

      Requirements

      • Functional:
        • The documentation must be updated for all non-End-of-Life (EOL) versions: OCP 4.12, 4.14, and 4.16 through 4.21.
        • Documentation must explicitly list the combined privileges required for a dedicated user for OpenShift in vCenter.
        • The "Global Administrative Privileges" option must be clearly marked as "Not Recommended".
      • Non-Functional:
        • Security: Adherence to the Principle of Least Privilege (PoLP).
        • Reliability: Installation and Day-2 operations must not fail due to "Permission Denied" errors when using the documented privilege set.
        • Maintainability: The list of privileges must be audited to ensure it remains accurate for both legacy (4.12) and upcoming (4.21) releases.

      User Scenarios

      • As a vSphere Administrator, I want to provide the OpenShift installation team with a vCenter user that has the minimum required permissions so that I can maintain a hardened infrastructure and reduce the blast radius of a compromised credential.
      • As an SRE, I want to use a single dedicated vSphere account for both installation and Day-2 storage operations so that I don't have to manage multiple credentials or update permissions after the cluster is live.

      Quality Engineering (QE) Validation

      The QE team is required to:

      1. Abandon Admin Testing: Cease the use of administrator@vsphere.local or equivalent global admin accounts for standard functional testing.
      2. Verify a dedicated OpenShift account: Execute full installation suites using a dedicated vSphere user mapped to a role containing only the privileges listed in the official OpenShift documentation.

      Out of Scope

      •  

      Questions to Answer (Optional)

      •  

      Links

              mzasepa Michal Zasepa
              mzasepa Michal Zasepa
              None
              Joseph Callen, Neil Girard, Richard Vanderpool
              None
              Penghao Wang Penghao Wang
              Avani Bhatt Avani Bhatt
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: