XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Labels:
- needs-refinement

Epic Name:
[aws] Continuously track minimum permissions used by OpenShift cluster on AWS - Part 2 (track required permissions)
Activity Type:
Product / Portfolio Work
Parent Link:
OCPSTRAT-2000Continuosly test minimum permissions required for AWS ROSA - Phase II
Hierarchy Progress Bar:

100% To Do, 0% In Progress, 0% Done
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
Size:
None

Target Version:

openshift-4.18
Release Blocker:
None

Story Points:
18

Epic Goal (WIP/Planning)

Create enhancement proposal from draft https://docs.google.com/document/d/1KnRIpLr5683SVSzJAvaXGANWLh4JQWOcPOUr8kZsqc4/edit?tab=t.0
Implement a CI informer job with standard OCP on AWS IPI installation and default e2e conformance
Open existing issues/restrictions/recommendations/improvements of IAM policies captured by the informer job
Capture the phased work described in EP

TBD from previous work SPLAT-1843:

Provide a mechanism/solution to track IAM permissions used by components during a cluster life cycle (install, run e2e, destroy) when deploying a cluster on AWS in a CI job, getting quickly feedback of permissions requested (created) versus required (used/API Calls), targeting to:
- fine granted minimum permissions required
- enable short feedback to dependent components (such as managed services to update managed IAM Roles/policies)

Why is this important?

Contribute to fine grant minimum IAM policies used by installer to install a cluster on AWS
Contribute to components track which permissions has been required during some exercise (e2e)
Track IAM policy changes when bumping dependencies (such as CAPA for installer)
Quick feedback to managed services to decrease total time to review managed policies by ROSA

Scenarios

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.
...

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

Engineering references

Spike with exploration of an option to provide signals in CI PR ~~SPLAT-1816~~

clones

SPLAT-1843 [aws][CI] Continuously track minimum permissions used by OpenShift cluster on AWS - Part 1 (draft the proposal)

Dev Complete

is blocked by

SPLAT-1843 [aws][CI] Continuously track minimum permissions used by OpenShift cluster on AWS - Part 1 (draft the proposal)

Dev Complete

Assignee:: Marco Braga

Reporter:: Marco Braga

Need Info From:: None

Contributors:: None

QA Contact:: Yunfei Jiang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/03/20 2:11 AM

Updated:: 2025/08/07 2:56 AM

Details

Description

Epic Goal (WIP/Planning)

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Done Checklist

Engineering references

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates