-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
In order to benefit from the operator roles that have AWS managed policies more widely that just HCP, the ROSA Classic clusters ought to use managed policies as well for the operator roles.
As of a specific version or date, ROSA Classic clusters would use by default the AWS managed policies.
Requirements (aka. Acceptance Criteria):
- New clusters as of a TBD version or date, would have operator roles that attach AWS managed policies by default
- Customers that wish to use customer-managed policies still, may do so.
- Documentation provides details about all of the above to allow customers to make an informed decision as to which one they should use.
- All clients of ROSA would be functional with this change (Terraform, ROSA CLI, UI)
Questions to Answer (Optional):
Would this break our current ROSA UI without adapting it?
Should we default to AWS managed operator role policies and not allow going back to self-managed policies?
Background
The operator roles and their respective policies consist of currently 6 pairs. If we can secure a confirmation that there will be no future deviation of the operators needed between OCP and Hypershift, then we can use the same roles and policies for ROSA Classic as for ROSA HCP. With the same roles and policies available for both architectures, there is less management of IAM resources and a reduction of risks when upgrading clusters.
Customer Considerations
What if a customer wants to have, for some reason, a separate set of roles/policies between HCP and Classic architecture clusters? An immediate need for this is not known, yet this is but one possibility.
Documentation Considerations
Documentation will need to be updated to indicate that the operator role names can be free-form and how that could be achieved.
- blocks
-
XCMSTRAT-302 ROSA - custom operator role names
- New
- clones
-
XCMSTRAT-302 ROSA - custom operator role names
- New
- is cloned by
-
XCMSTRAT-304 Allow ROSA classic installer policy to be restricted using permission boundary for byo VPC use case
- In Progress