Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1413

Enable Cloud Credential Operator to mint new vSphere credentials

XMLWordPrintable

    • False
    • False
    • Undefined

      1. Proposed title of this feature request
      Enable Cloud Credential Operator to mint new vSphere credentials

      2. What is the nature and description of the request?
      Today the credential operator cannot mint new vSphere credential nor can it scope down existing credentials. This is best explained here[1]. This means that all the components that need to contact the vSphere API get the same credentials that were used at installation time. In particular also the kubelet gets those credentials. This way if our understanding is correct, if a node it compromised the attacker will also gain elevated access to the underlying vSphere infrastructure.

      This RFE is to ask that the implementation of the credentials operator for vSphere is brought to par with the other cloud providers and in so that credentials can be scoped down and that then the principle of least privilege is applied to all the new minted credentials.

      [1]: https://github.com/openshift/cloud-credential-operator#support-matrix

              racedoro@redhat.com Ramon Acedo
              rhn-support-akretzsc Alex Kretzschmar (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: