Uploaded image for project: 'Container / Cluster Management (XCM) Strategy'
  1. Container / Cluster Management (XCM) Strategy
  2. XCMSTRAT-304

Allow ROSA classic installer policy to be restricted using permission boundary for byo VPC use case

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Green
    • XCMSTRAT-6ROSA Security
    • 77
    • 77% 77%
    • Hide

      [May 8th]

      Currently pending docs publishing

       

       [SREP April 19]

      SDE-3508 is completed. Now just need docs to be published to complete this feature.

       

      [SREP Mar 14]

      • Work is continuing on SREP side

       

      [SREP Mar 7]

      • Team Aurora has began work on scoping the permission sets and breaking up the policies into discrete permissions sets
      • OCM work brought up in OCM<>SREP Sync on Tues, Mar 5th: ROSA cli will need to handle logic for attaching the discrete policies

       [OCM]No OCM Impact 

      Show
      [May 8th] Currently pending docs publishing     [SREP April 19] SDE-3508 is completed. Now just need docs to be published to complete this feature.   [SREP Mar 14] Work is continuing on SREP side   [SREP Mar 7] Team Aurora has began work on scoping the permission sets and breaking up the policies into discrete permissions sets OCM work brought up in OCM<>SREP Sync on Tues, Mar 5th: ROSA cli will need to handle logic for attaching the discrete policies   [OCM] No OCM Impact 
    • CY24Q1
    • 0

      Feature Overview (aka. Goal Summary)  

      In the cases where a customer is bringing their own VPC, the current ROSA Classic Installer policy requires too many permissions (Create vpc, etc)

      Instead of creating a new installer policy that excludes vpc permissions we can use the existing --permissions-boundary option of the create account-roles command to create a restricted installer role.

      Requirements (aka. Acceptance Criteria):

      • Red Hat provides sample permissions boundary policies that customers can use as part of this command 
        • #1 Policy that excludes all network creation (vpc and private link)
        • #2 Policy that excludes network creation but allows private link creation
      • Ensure that creation of account roles with this permissions boundary does not prevent installation of BYO vpc cluster.
        • Test BYO VPC without privatelink
        • Test BYO VPC with private link.
      • Documentation provided to explain use and restriction of this feature
        • eg. The account roles created will not have permissions to create VPC
      • All clients of ROSA would be functional with this change (Terraform, ROSA CLI, UI)

      Questions to Answer (Optional):

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

       

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

       

      Documentation Considerations

      Documentation will need to be updated to indicate that the operator role names can be free-form and how that could be achieved.

       

       

            rh-ee-adejong Aaren de Jong
            rh-ee-adejong Aaren de Jong
            James Harrington
            Taylor Fahlman Taylor Fahlman
            Yu Wang Yu Wang
            Frances McDonald Frances McDonald
            Not Needed Not Needed (Inactive)
            Taylor Fahlman Taylor Fahlman
            Aaren de Jong Aaren de Jong
            Not Needed Not Needed (Inactive)
            Taylor Fahlman Taylor Fahlman
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: