Uploaded image for project: 'Container / Cluster Management (XCM) Strategy'
  1. Container / Cluster Management (XCM) Strategy
  2. XCMSTRAT-48

Enable GCP workload identify federation for OSD-GCP - GCP WIF

    XMLWordPrintable

Details

    • False
    • False
    • XCMSTRAT-25GCP Security
    • 0
    • 0% 0%
    • 0

    Description

      Feature Overview (aka. Goal Summary)  

      As a customer deploying OpenShift Dedicated on Google Cloud, I would like to minimize the rights granted to 3rd parties such as Red Hat, who is managing my infrastructure and ensure all Google Cloud native IAM and best practices for securing Google Cloud services and infrastructure are followed. 

      Background on Workload Identity Federation:

      • Organizations have applications in hybrid environments. These applications rely on service account keys to access Google Cloud APIs, which are long-lived and must be well protected to avoid getting compromised.
      • GCP Workload Identity Federation enables (external) applications to replace long-lived service account keys with short-lived access tokens. It is a keyless application authentication mechanism for calling Google Cloud APIs.
      • It works by having external applications authenticate to the identity provider and receive account credentials. The external application can then call Google Security Token Service to exchange the account credentials for short-lived Google Cloud access token. This token can then be used to impersonate a service account and access Google Cloud resources.

      Goals (aka. expected user outcomes)

      Allow Red Hat customers to take advantage of GCP Workload Identity Federation framework with better security posture when deploying and managing OpenShift Dedicated (OSD) on Google Cloud. This would be similar to customers using AWS Security Token Service (STS) or Azure Workload Identity.

      Requirements (aka. Acceptance Criteria):

      • Customers are able to follow the required steps to set up the Workload Identity Federation on the Google Cloud console and pass it to the OSD installer a.k.a. OCM.  
      • OCM can install public/connected as well as private/disconnected OSD clusters on Google Cloud with Workload Identity Federation enabled.
      • Red Hat SRE and Support teams can manage the OSD clusters which have Workload Identity Federation enabled. Ensure that the Red Hat representatives are only granted the permissions required to manage the cluster and associated resources and no added permissions.  
      • Document how OSD on GCP uses Workload Identity Federation.
      • Document list of Google Cloud prerequisites for OSD with Workload Identity Federation
      • Document list of default specification for installation of OSD on GCP with Workload Identity Federation

      Use Cases (Optional):

      Use cases for Workload Identity Federation:

      • Provide keyless, short-lived credentials to access Google Cloud resources from hybrid environments. Example:
        • Workloads running in cloud provider XYZ trying to access specific resources in Google Cloud 
        • Apps running within the Google Cloud ecosystem wanting to connect with one or more GCP services 
        • An on-prem tool that deploys or manages Google Cloud resources
      • A short-term privilege escalation
      • Authorization to Google Cloud resources for identities authenticated via external/federated identity providers e.g. OIDC, AD, SAML, etc.  

      Questions to Answer (Optional) / Open questions:

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      1. Is it possible to migrate from non-Workload Identity Federation (WIF) to WIF and, similarly, rollback from WIF-enabled clusters to non-WIF with minimum disruption and complications?  This will impact whether existing OSD customers can leverage this feature without destroying and recreating new clusters.
      2. This feature is marked as complete in Cloud Credential Operator CCO-114, but the OCPBU-314 is still in "New" state. Following up with the OCP Product Management on it's readiness at the OCP level. 

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

       

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

      • Document how OSD on GCP uses Workload Identity Federation.
      • Document list of Google Cloud prerequisites for OSD with Workload Identity Federation
      • Document list of default specification for installation of OSD on GCP with Workload Identity Federation

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

      Attachments

        Issue Links

          depends on

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-197 Document ccoctl permissions needed when using GCP workload identity

          • Undefined - Priority not specified.
          • To Do

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-469 Install and upgrade OpenShift with GCP Workload Identity

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is depended on by

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. OCPSTRAT-6 Tokenized Auth Enablement for OLM-managed Operators on Cloud Providers

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress
          is triggered by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-114 Support GCP workload identity

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Activity

            People

              rh-ee-smulkutk Shreyans Mulkutkar
              rh-ee-adejong Aaren de Jong
              Ying Zhang Ying Zhang
              Andrew Jones Andrew Jones
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: