1. Proposed title of this feature request 

==> Assess removal of an additional cluster managed identity created by installer

2. What is the nature and description of the request?

==> Customer want to evaluate the removal of additional identity created by the installer as it is impacting their governance.

 
3. Why does the customer need this? (List the business requirements here)

==> This is largely impacting our governance as the installer automation violates the Least Priviledge approach in terms of role assignment.

4. List any affected packages or components.

==> Installer on azure platform

 

===============================

 

Hello Team,

We have a customer performed ocp installation and they want to remove an additional identity created by the installer as it is largely impacting their governance as the installer automation violates the Least Priviledge approach in terms of role assignment.

=================

During our tests we discovered that Owner role is still required when creating a cluster with 4.14.

Here's the problem statement:
1 - we restricted cluster' SP Contributor role for target Resource Group where OCP needs to be installed
2 - we gave cluster' SP Contributor role for network ResourceGroup, where all the networking objects related to the cluster reside.

We observed that on the PaaS RG, a new identity is created here:

https://github.com/openshift/installer/blob/release-4.14/data/data/azure/vnet/main.tf#L57

resource "azurerm_user_assigned_identity" "main" {
resource_group_name = data.azurerm_resource_group.

main.name

location = data.azurerm_resource_group.main.location
name = "${var.cluster_id}-identity"
tags = var.azure_extra_tags
}

and later a role assignment of the same identity to `Contributor` is made here:

https://github.com/openshift/installer/blob/release-4.14/data/data/azure/vnet/main.tf#L64C1-L68C2

resource "azurerm_role_assignment" "main"

{ scope = data.azurerm_resource_group. [main.id|https://main.id/] role_definition_name = "Contributor" principal_id = azurerm_user_assigned_identity.main.principal_id }

As the Cluster SP is limited to be Contributor on Network resource group, it CAN create a managed identity on that RG, but it CANNOT perform a role assignment (as contributor), only owner and User Access Administrator are supposed to do so.

I do not understand why this identity is created and, therefore, we wonder what is it used for? Is it really needed or can it be removed (from TF)?
The identity is not stored in any cluster secret / configmap and Azure activity log does not show any action done by it.

As of now, this breaks our IAM definition as we need to escalate our privileges to Owner/User Access Administrator in order to perform this assignment.

On our side, we are deploying a 4.14 cluster, using ACM/Hive provisioning and we explicitly request federated ids for all the operators of the cluster.

For your reference, here's the logs we get when cluster' SP is Contributor of Network RG:

"failed to fetch Cluster: failed to generate asset \"Cluster\": failure applying terraform for \"vnet\" stage: failed to create cluster: failed to apply Terraform: exit status 1\n\nError: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client '3248d825-81f3-48a2-b4ab-403151a89a52' with object id '3248d825-81f3-48a2-b4ab-403151a89a52' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/cdd17109-82c0-4aeb-a904-eb10db79139d/resourceGroups/net-01/providers/Microsoft.Authorization/roleAssignments/37fa309b-a158-c038-d61f-2e0007887ce9' or the scope is invalid. If access was recently granted, please refresh your credentials.\"\n\n with azurerm_role_assignment.network[0],\n on

main.tf

line 70, in resource \"azurerm_role_assignment\" \"network\":\n 70: resource \"azurerm_role_assignment\" \"network\" {\n\n"