Feature Overview

Azure enhancements to address customer security concerns

Goals

Allows customers to better meet the requirements of restrictive organizational security policies.

Requirements

• Support for user-managed encryption keys with Azure Disk Encryption Sets
• More restrictive Service Principal by adding support for deploying OpenShift to a user-created, empty Resource Group

(Optional) Use Cases

• As an administrator, I would like to deploy OpenShift 4 on Microsoft Azure with VM disk encryption leveraging a user-managed encryption key.
• As an administrator, I would like to deploy an OpenShift 4 cluster to an empty Resource Group that I created so I can scope the SP to just that resource group (and not the entire subscription.) Optionally, I should also be able to provide my own Managed Identity for OpenShift VM instances to use.
• As an administrator, I would like to know the minimum list of required Service Principal permissions for OpenShift on Microsoft Azure and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also re-scope the SP permissions to a specific Resource Group for the operation (Day 2) of OpenShift.

Out of Scope

Background, and strategic fit

Assumptions

• Documented list of minimum required Service Principal permissions needed to deploy (Day 1) and run (Day 2) OpenShift on Azure

Customer Considerations

• Many of our customers have security policies in their organizations that requires user-managed encryption keys and Service Principals to be minimally scoped to individual Resource Groups as a way to minimize their security footprint. This requirement is a blocking issue for quite a few customers preventing their adoption of OpenShift 4.

Documentation Considerations

Questions to be addressed:

• What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)? users/admins
• Does this feature have doc impact?  Yes. Need to document the use of Azure Disk Encryption Sets and deploying OpenShift to a user-managed, empty Resource Group.

• What concepts do customers need to understand to be successful in [action]? Follow the documented minimum requirements for setting up Azure Disk Encryption Sets & encryption key & Resource Group creation as part of the OpenShift installation procedure.
• How do we expect customers will use the feature? For what purpose(s)? When installing OpenShift to Azure.
• What reference material might a customer want/need to complete [action]? Familiar with Azure's console and how to configure these features.
• Is there source material that can be used as reference for the Technical Writer in writing the content? Nothing beyond upstream OpenShift documentation.