Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-997

Enable installer-assisted configuration of the internal registry to leverage a private storage endpoint on Azure


    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Cloud Services, Core, Install
    • None
    • True
    • Hide

      This feature requires OCPSTRAT-996 to land in OpenShift

      This feature requires OCPSTRAT-996 to land in OpenShift
    • False
    • 67% To Do, 0% In Progress, 33% Done
    • 0
    • 0
    • Backlog Refinement

      Feature Overview (aka. Goal Summary)

      Support ARO and customers aspiring to follow Microsoft Azure security recommendations by allowing the Azure storage account hosting the object storage bucket for the integrated registry to be configured as "private" vs. the default public.

      Goals (aka. expected user outcomes)

      OpenShift installations and specifically ARO by default, do not trigger warnings in Azure's Security Advisor anymore with regard to the use of a public endpoint for the Azure storage account created by the integrated registry operator.

      Requirements (aka. Acceptance Criteria):

      Installer-driven configuration of the Integrated Registry operator to leverage a private storage account


      Several users noticed warnings in Azure Security advisor reporting the potentially dangerous exposure of the storage endpoint used by the integrated registry configured by its operator. There is no real security threat here because despite the endpoint being public, access to it is strictly locked down to a single set of credentials used by the internal registry only.

      Still customers need to be able to deploy cluster that out of the box do not violate Microsoft security recommendations.

      This also aligns with OCPSTRAT-716 which introduces installer-level tunables that set the Ingress and API server to a private network. As part of this effort we will also introduce an appropriate tunable for the integrated registry for the installer.

      Documentation Considerations

      We need documentation for the installer on how to trigger the creation of a private endpoint for the storage account leveraged by the OpenShift integrated registry.

      Interoperability Considerations

      ARO should transition to configure the installer to create a private endpoint for the OpenShift integrated registry's storage account.

            DanielMesser Daniel Messer
            DanielMesser Daniel Messer
            Flavian Missi Flavian Missi
            Stephanie Stout Stephanie Stout
            Marcos Entenza Garcia Marcos Entenza Garcia
            Daniel Messer Daniel Messer
            0 Vote for this issue
            3 Start watching this issue