Loading...

XML

Word

Printable

Details

Type: Feature
Resolution: Done
Priority: Major
Fix Version/s: openshift-4.15
Affects Version/s: None
Component/s: Cloud Services, Core, Install
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Hierarchy Progress:
100
Hierarchy Progress Bar:

100% 100%
Target Version:

openshift-4.15

RICE Score:
0
Risk Score:
0

Discussion Needed:

Program Call

SFDC Cases Links:
SFDC Cases Counter:

Description

Feature Overview (aka. Goal Summary)

Support ARO and customers aspiring to follow Microsoft Azure security recommendations by allowing the Azure storage account hosting the object storage bucket for the integrated registry to be configured as "private" vs. the default public.

Goals (aka. expected user outcomes)

OpenShift installations on Azure can be configured so that they don't trigger the Azure's Security Advisor anymore with regard to the use of a public endpoint for the Azure storage account created by the integrated registry operator.

Requirements (aka. Acceptance Criteria):

Manual private storage account configuration via the Integrated Registry operator's CR
Automatic discovery of vnet and subnet resources requiring the end user to only set a single flag of the Integrated Registry operator CR to "internal"

Background

Several users noticed warnings in Azure Security advisor reporting the potentially dangerous exposure of the storage endpoint used by the integrated registry configured by its operator. There is no real security threat here because despite the endpoint being public, access to it is strictly locked down to a single set of credentials used by the internal registry only.

Still customers need to be able to deploy cluster that out of the box do not violate Microsoft security recommendations.

This feature sets the foundation for OCPSTRAT-997 to be delivered.

Customer Considerations

Customers updating to the version of OpenShift that delivers this feature shall not have their integrated registry configuration updated automatically.

Documentation Considerations

We require documentation in the section for the integrated registry operator that describes how to manually configure the vnet and subnet that shall be used for the private storage endpoint in case the customer wants to leverage an network resource group account different from the cluster.

We also require documentation that describes the single tunable for the integrated registry operator that is required to be set to "internal" to automate the detection of existing vnet and subnets in the network resource group of the cluster as opposed to manual specification of a user-defined vnet/subnet pair.

Attachments

Issue Links

relates to

RFE-2515 Azure Storage account created with IPI for cluster bootstrap should provide a way to use a private link connection

Accepted

OCPSTRAT-997 Enable installer-assisted configuration of the internal registry to leverage a private storage endpoint on Azure

Backlog

Activity

People

Assignee:: Daniel Messer

Reporter:: Daniel Messer

Developer:: Flavian Missi

Doc Contact:: Stephanie Stout

SME:: Marcos Entenza Garcia

Product Manager:: Daniel Messer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/11/24 2:08 PM

Updated:: 2024/02/29 6:21 PM

Resolved:: 2023/12/19 3:18 PM