-
Spike
-
Resolution: Done
-
Major
-
None
-
None
-
Strategic Product Work
-
5
-
False
-
None
-
False
-
OCPSTRAT-1664 - Continuosly test minimum permissions required for AWS ROSA
-
-
-
OpenShift SPLAT - Sprint 260
Goal:
- As a user I would like to set the minimum IAM permissions required to create an OCP cluster on AWS
Context:
After 4.16, when switching to CAPA as infrastructure provisioner, the permissions changed and tracking the changes across releases could be a challenge. The bug OCPBUGS-35378 describes an assessment request to review the existing permissions.
We are investigating how to do it by parsing events in CloudTrail across releases and deployment variants. This threads describes[1] the initial effort.
Acceptance criteria:
- Make an assessment installing a cluster and parsing the CLoudTrail events, check the outliers (missing and extra permissions) and create a report
- Check if there is any improvement or opportunities to embed in the CI workflow
Additional context and references:
- causes
-
SPLAT-1843 [aws][CI] Continuously track minimum permissions used by OpenShift cluster on AWS - Part 1 (track required permissions)
-
- In Progress
-
- is related to
-
OCPBUGS-35378 Assess whether AWS perms are still required
-
- ASSIGNED
-
- relates to
-
CORS-1514 Minimum AWS permissions should be regression tested in CI
-
- Closed
-
-
OCPSTRAT-1664 Continuosly test minimum permissions required for AWS ROSA
-
- In Progress
-
- links to