Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 3. Manually creating IAM for AWS

In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster 

kube-system
namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.

The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the 

credentialsMode
parameter in the 
install-config.yaml
file.

If you prefer not to store an administrator-level credential secret in the cluster 

kube-system
project, you can choose one of the following options when installing OpenShift Container Platform:

  • Use the Amazon Web Services Security Token Service:

    You can use the CCO utility (

    ccoctl
    ) to configure the cluster to use the Amazon Web Services Security Token Service (AWS STS). When the CCO utility is used to configure the cluster for STS, it assigns IAM roles that provide short-term, limited-privilege security credentials to components.

    Note

    This credentials strategy is supported for only new OpenShift Container Platform clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature.

  • Manage cloud credentials manually:

    You can set the 

    credentialsMode
    parameter for the CCO to 
    Manual
    to manage cloud credentials manually. Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.

  • Remove the administrator-level credential secret after installing OpenShift Container Platform with mint mode:

    If you are using the CCO with the 

    credentialsMode
    parameter set to 
    Mint
    , you can remove or rotate the administrator-level credential after installing OpenShift Container Platform. Mint mode is the default configuration for the CCO. This option requires the presence of the administrator-level credential during an installation. The administrator-level credential is used during the installation to mint other credentials with some permissions granted. The original credential secret is not stored in the cluster permanently.

Note

Prior to a non z-stream upgrade, you must reinstate the credential secret with the administrator-level credential. If the credential is not present, the upgrade might be blocked.

3.2. Manually create IAM
Link kopieren

The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster 

kube-system
namespace.

Procedure

  1. Change to the directory that contains the installation program and create the 

    install-config.yaml
    file by running the following command: 

    $ openshift-install create install-config --dir <installation_directory>

    where 

    <installation_directory>
    is the directory in which the installation program creates files.

  2. Edit the 

    install-config.yaml
    configuration file so that it contains the 
    credentialsMode
    parameter set to 
    Manual
    .

    Example install-config.yaml configuration file

    apiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual
    1 
    
compute:
- architecture: amd64
  hyperthreading: Enabled
...

    1
    This line is added to set the credentialsMode parameter to Manual.

  3. Generate the manifests by running the following command from the directory that contains the installation program: 

    $ openshift-install create manifests --dir <installation_directory>

    where 

    <installation_directory>
    is the directory in which the installation program creates files.

  4. From the directory that contains the installation program, obtain details of the OpenShift Container Platform release image that your 

    openshift-install
    binary is built to use by running the following command: 

    $ openshift-install version

    Example output

    release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64

  5. Locate all 

    CredentialsRequest
    objects in this release image that target the cloud you are deploying on by running the following command: 

    $ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 \
  --credentials-requests \
  --cloud=aws

    This command creates a YAML file for each 

    CredentialsRequest
    object.

    Sample CredentialsRequest object

    apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: <component-credentials-request>
  namespace: openshift-cloud-credential-operator
  ...
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - effect: Allow
      action:
      - iam:GetUser
      - iam:GetUserPolicy
      - iam:ListAccessKeys
      resource: "*"
  ...

  6. Create YAML files for secrets in the 

    openshift-install
    manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the 
    spec.secretRef
    for each 
    CredentialsRequest
    object.

    Sample CredentialsRequest object with secrets

    apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: <component-credentials-request>
  namespace: openshift-cloud-credential-operator
  ...
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - effect: Allow
      action:
      - s3:CreateBucket
      - s3:DeleteBucket
      resource: "*"
      ...
  secretRef:
    name: <component-secret>
    namespace: <component-namespace>
  ...

    Sample Secret object

    apiVersion: v1
kind: Secret
metadata:
  name: <component-secret>
  namespace: <component-namespace>
data:
  aws_access_key_id: <base64_encoded_aws_access_key_id>
  aws_secret_access_key: <base64_encoded_aws_secret_access_key>

    Important

    The release image includes 

    CredentialsRequest
    objects for Technology Preview features that are enabled by the 
    TechPreviewNoUpgrade
    feature set. You can identify these objects by their use of the 
    release.openshift.io/feature-set: TechPreviewNoUpgrade
    annotation.

    • If you are not using any of these features, do not create secrets for these objects. Creating secrets for Technology Preview features that you are not using can cause the installation to fail.
    • If you are using any of these features, you must create secrets for the corresponding objects.

    • To find 

      CredentialsRequest
      objects with the 
      TechPreviewNoUpgrade
      annotation, run the following command: 

      $ grep "release.openshift.io/feature-set" *

      Example output

      0000_30_capi-operator_00_credentials-request.yaml:  release.openshift.io/feature-set: TechPreviewNoUpgrade

  7. From the directory that contains the installation program, proceed with your cluster creation: 

    $ openshift-install create cluster --dir <installation_directory>
    Important

    Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.

3.3. Mint mode
Link kopieren

Mint mode is the default Cloud Credential Operator (CCO) credentials mode for OpenShift Container Platform on platforms that support it. In this mode, the CCO uses the provided administrator-level cloud credential to run the cluster. Mint mode is supported for AWS and GCP.

In mint mode, the 

admin
credential is stored in the 
kube-system
namespace and then used by the CCO to process the 
CredentialsRequest
objects in the cluster and create users for each with specific permissions.

The benefits of mint mode include:

  • Each cluster component has only the permissions it requires
  • Automatic, on-going reconciliation for cloud credentials, including additional credentials or permissions that might be required for upgrades

One drawback is that mint mode requires 

admin
credential storage in a cluster 
kube-system
secret.

Currently, this mode is only supported on AWS and GCP.

In this mode, a user installs OpenShift Container Platform with an administrator-level credential just like the normal mint mode. However, this process removes the administrator-level credential secret from the cluster post-installation.

The administrator can have the Cloud Credential Operator make its own request for a read-only credential that allows it to verify if all 

CredentialsRequest
objects have their required permissions, thus the administrator-level credential is not required unless something needs to be changed. After the associated credential is removed, it can be deleted or deactivated on the underlying cloud, if desired.

Note

Prior to a non z-stream upgrade, you must reinstate the credential secret with the administrator-level credential. If the credential is not present, the upgrade might be blocked.

The administrator-level credential is not stored in the cluster permanently.

Following these steps still requires the administrator-level credential in the cluster for brief periods of time. It also requires manually re-instating the secret with administrator-level credentials for each upgrade.

3.5. Next steps
Link kopieren

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben