-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
1. Proposed title of this feature request
OCP on AWS with manual STS requires private S3 bucket to host OIDC endpoint
2. What is the nature and description of the request?
Currently, ccoctl creates a public S3 bucket to host OIDC endpoint that is accessible over the internet. Many customers have complained about this approach as their security policies do not allow creation of public S3 bucket.
3. Why does the customer need this? (List the business requirements here)
The customer is adopting OCP on AWS and they have very strict security requirements with their Tech Risk teams that block public S3 buckets. They plan to adopt OCP as their Kubernetes of choice for the public cloud (AWS and Google) and thisĀ
4. List any affected packages or components.
This will affect ccoctl and possibly the STS API, and OCP API server
- documents
-
SPLAT-950 [aws][cco] STS Implement procedure for migrating from a public s3 bucket OIDC to a private s3 bucket OIDC with CloudFront Distribution
- Closed
- is blocked by
-
CCO-222 Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL
- Closed
- is documented by
-
CCO-221 Document restricting access to OIDC S3 for STS installations using AWS CloudFront
- Closed
- is related to
-
CCO-219 Explore the option of creating private S3 bucket to host OIDC endpoint
- Closed
-
CCO-281 AWS STS Implement procedure for migrating from a public s3 bucket OIDC to a private s3 bucket OIDC with CloudFront Distribution
- To Do
-
SPLAT-349 [aws][spike][office hour] follow up bucket permissions to IAM OIDC config
- Closed