Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2898

OCP on AWS with manual STS requires private S3 bucket to host OIDC endpoint

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request
      OCP on AWS with manual STS requires private S3 bucket to host OIDC endpoint

      2. What is the nature and description of the request?
      Currently, ccoctl creates a public S3 bucket to host OIDC endpoint that is accessible over the internet. Many customers have complained about this approach as their security policies do not allow creation of public S3 bucket.

      3. Why does the customer need this? (List the business requirements here)
      The customer is adopting OCP on AWS and they have very strict security requirements with their Tech Risk teams that block public S3 buckets. They plan to adopt OCP as their Kubernetes of choice for the public cloud (AWS and Google) and thisĀ 

      4. List any affected packages or components.
      This will affect ccoctl and possibly the STS API, and OCP API server

      Attachments

        Issue Links

          documents

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. SPLAT-950 [aws][cco] STS Implement procedure for migrating from a public s3 bucket OIDC to a private s3 bucket OIDC with CloudFront Distribution

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is blocked by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-222 Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is documented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-221 Document restricting access to OIDC S3 for STS installations using AWS CloudFront

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-219 Explore the option of creating private S3 bucket to host OIDC endpoint

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-281 AWS STS Implement procedure for migrating from a public s3 bucket OIDC to a private s3 bucket OIDC with CloudFront Distribution

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • To Do

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. SPLAT-349 [aws][spike][office hour] follow up bucket permissions to IAM OIDC config

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              julim Ju Lim
              rhn-gps-djohnsto David Johnston
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: