Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-997

Enable installer-assisted configuration of the internal registry to leverage a private storage endpoint on Azure

XMLWordPrintable

    • BU Product Work
    • True
    • Hide

      This feature requires a facility inside the cluster to read the installer configuration or for the installer to configure the integrated registry explicitly in this regard.

      There is no consensus yet from OCP architects on which way to go.

      Show
      This feature requires a facility inside the cluster to read the installer configuration or for the installer to configure the integrated registry explicitly in this regard. There is no consensus yet from OCP architects on which way to go.
    • False
    • 67% To Do, 0% In Progress, 33% Done
    • 0
    • Backlog Refinement

      Feature Overview (aka. Goal Summary)

      Support ARO and customers aspiring to follow Microsoft Azure security recommendations by allowing the Azure storage account hosting the object storage bucket for the integrated registry to be configured as "private" vs. the default public.

      Goals (aka. expected user outcomes)

      OpenShift installations and specifically ARO by default, do not trigger warnings in Azure's Security Advisor anymore with regard to the use of a public endpoint for the Azure storage account created by the integrated registry operator.

      Requirements (aka. Acceptance Criteria):

      Installer-driven configuration of the Integrated Registry operator to leverage a private storage account

      Background

      Several users noticed warnings in Azure Security advisor reporting the potentially dangerous exposure of the storage endpoint used by the integrated registry configured by its operator. There is no real security threat here because despite the endpoint being public, access to it is strictly locked down to a single set of credentials used by the internal registry only.

      Still customers need to be able to deploy cluster that out of the box do not violate Microsoft security recommendations.

      This also aligns with OCPSTRAT-716 which introduces installer-level tunables that set the Ingress and API server to a private network. As part of this effort we will also introduce an appropriate tunable for the integrated registry for the installer.

      Documentation Considerations

      We need documentation for the installer on how to trigger the creation of a private endpoint for the storage account leveraged by the OpenShift integrated registry.

      Interoperability Considerations

      ARO should transition to configure the installer to create a private endpoint for the OpenShift integrated registry's storage account.

              DanielMesser Daniel Messer
              DanielMesser Daniel Messer
              Flavian Missi Flavian Missi
              Stephanie Stout Stephanie Stout
              Marcos Entenza Garcia Marcos Entenza Garcia
              Daniel Messer Daniel Messer
              Senthamilarasu S Senthamilarasu S
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: