Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5785

Allow changing machine api credential spec in the MINT mode

XMLWordPrintable

    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature request

      Support Modifying CredentialsRequest IAM Policies While in Mint Mode

      2. What is the nature and description of the request?

      In OpenShift clusters operating in Cloud Credential Operator (CCO) mint mode, it is currently not possible to modify the IAM permissions requested by individual CredentialsRequest resources, such as:

       

      credentialsrequest.cloudcredential.openshift.io/openshift-machine-api-aws

      Attempting to edit these requests or associated secrets leads to unsupported behavior and may be automatically reverted by the CCO. This restriction prevents cluster administrators from reducing IAM permission scopes to align with evolving security or compliance requirements.

      Problem Statement:
      Organizations often need to restrict or customize IAM permissions post-deployment to:

      • Address internal security policies.
      • Meet compliance audit requirements.
      • Minimize the blast radius of compromised components.

      Currently, this is not possible without:

      • Switching to manual mode, which is only supported at install time.
      • Reinstalling the entire cluster to apply a new CCO mode or IAM policy configuration.

      Request:
      Enable support for modifying IAM permissions in mint mode by allowing controlled customization of CredentialsRequest objects and/or their associated IAM policies. This could be done via:

      • An opt-in annotation or flag (e.g., cco.openshift.io/custom-policy: true) on the CredentialsRequest.
      • Allowing a custom policy to be provided that CCO will respect rather than overwrite.
      • A “read-only” mode for existing permissions, allowing auditing or limited scoping.

      Use Case / Example:
      A customer wants to limit the permissions requested by the openshift-machine-api-aws CredentialsRequest to remove unnecessary IAM actions. They attempted to modify the resource and the generated secret in the openshift-cloud-credential-operator namespace, but changes were overwritten or rejected.

      Impact of Current Behavior:

      • Inflexibility in day-2 operations for security management.
      • Requires cluster redeployment to apply permission restrictions.
      • Violates the principle of least privilege for long-running clusters.
      • Prevents customers from adhering to cloud provider best practices.

      Benefits of Enhancement:

      • Greater operational security by allowing scoped IAM policies.
      • Flexibility for security and compliance teams without requiring reinstallation.
      • Improved administrator control over sensitive credential handling.

       

      3. Why does the customer need this? (List the business requirements here)

      Customer having all their cluster in MINT mode.

       

      4. List any affected packages or components.

      CCO - cloud credential operator

              julim Ju Lim
              rhn-support-chdeshpa Chinmay Deshpande
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                None
                None