9.3. Manually creating IAM for GCP
In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system
namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.
9.3.1. Alternatives to storing administrator-level secrets in the kube-system project
The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the credentialsMode
parameter in the install-config.yaml
file.
If you prefer not to store an administrator-level credential secret in the cluster kube-system
project, you can choose one of the following options when installing OpenShift Container Platform:
Use manual mode with GCP Workload Identity:
You can use the CCO utility (
ccoctl
) to configure the cluster to use manual mode with GCP Workload Identity. When the CCO utility is used to configure the cluster for GCP Workload Identity, it signs service account tokens that provide short-term, limited-privilege security credentials to components.NoteCette stratégie d'informations d'identification n'est prise en charge que pour les nouveaux clusters OpenShift Container Platform et doit être configurée lors de l'installation. Vous ne pouvez pas reconfigurer un cluster existant qui utilise une stratégie d'informations d'identification différente pour utiliser cette fonctionnalité.
Manage cloud credentials manually:
You can set the
credentialsMode
parameter for the CCO toManual
to manage cloud credentials manually. Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.Remove the administrator-level credential secret after installing OpenShift Container Platform with mint mode:
If you are using the CCO with the
credentialsMode
parameter set toMint
, you can remove or rotate the administrator-level credential after installing OpenShift Container Platform. Mint mode is the default configuration for the CCO. This option requires the presence of the administrator-level credential during an installation. The administrator-level credential is used during the installation to mint other credentials with some permissions granted. The original credential secret is not stored in the cluster permanently.
Avant une mise à niveau sans z-stream, vous devez rétablir le secret d'authentification avec l'authentification de niveau administrateur. Si l'identifiant n'est pas présent, la mise à niveau risque d'être bloquée.
Ressources complémentaires
For a detailed description of all available CCO credential modes and their supported platforms, see About the Cloud Credential Operator.
9.3.2. Manually create IAM
The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system
namespace.
Procédure
Change to the directory that contains the installation program and create the
install-config.yaml
file by running the following command:openshift-install create install-config --dir <installation_directory>
où
<installation_directory>
est le répertoire dans lequel le programme d'installation crée les fichiers.Modifiez le fichier de configuration
install-config.yaml
de manière à ce qu'il contienne le paramètrecredentialsMode
fixé àManual
.Exemple
install-config.yaml
fichier de configurationapiVersion: v1 baseDomain: cluster1.example.com credentialsMode: Manual 1 compute: - architecture: amd64 hyperthreading: Enabled ...
- 1
- Cette ligne est ajoutée pour fixer le paramètre
credentialsMode
àManual
.
Generate the manifests by running the following command from the directory that contains the installation program:
$ openshift-install create manifests --dir <installation_directory>
où
<installation_directory>
est le répertoire dans lequel le programme d'installation crée les fichiers.From the directory that contains the installation program, obtain details of the OpenShift Container Platform release image that your
openshift-install
binary is built to use by running the following command:$ openshift-install version
Exemple de sortie
release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64
Locate all
CredentialsRequest
objects in this release image that target the cloud you are deploying on by running the following command:$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 \ --credentials-requests \ --cloud=gcp
This command creates a YAML file for each
CredentialsRequest
object.Sample
CredentialsRequest
objectapiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <component-credentials-request> namespace: openshift-cloud-credential-operator ... spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec predefinedRoles: - roles/storage.admin - roles/iam.serviceAccountUser skipServiceCheck: true ...
Create YAML files for secrets in the
openshift-install
manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in thespec.secretRef
for eachCredentialsRequest
object.Sample
CredentialsRequest
object with secretsapiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <component-credentials-request> namespace: openshift-cloud-credential-operator ... spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 ... secretRef: name: <component-secret> namespace: <component-namespace> ...
Sample
Secret
objectapiVersion: v1 kind: Secret metadata: name: <component-secret> namespace: <component-namespace> data: service_account.json: <base64_encoded_gcp_service_account_file>
ImportantThe release image includes
CredentialsRequest
objects for Technology Preview features that are enabled by theTechPreviewNoUpgrade
feature set. You can identify these objects by their use of therelease.openshift.io/feature-set: TechPreviewNoUpgrade
annotation.- If you are not using any of these features, do not create secrets for these objects. Creating secrets for Technology Preview features that you are not using can cause the installation to fail.
- If you are using any of these features, you must create secrets for the corresponding objects.
To find
CredentialsRequest
objects with theTechPreviewNoUpgrade
annotation, run the following command:$ grep "release.openshift.io/feature-set" *
Exemple de sortie
0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-set: TechPreviewNoUpgrade
From the directory that contains the installation program, proceed with your cluster creation:
$ openshift-install create cluster --dir <installation_directory>
ImportantBefore upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
Ressources complémentaires
9.3.3. Mint mode
Mint mode is the default Cloud Credential Operator (CCO) credentials mode for OpenShift Container Platform on platforms that support it. In this mode, the CCO uses the provided administrator-level cloud credential to run the cluster. Mint mode is supported for AWS and GCP.
In mint mode, the admin
credential is stored in the kube-system
namespace and then used by the CCO to process the CredentialsRequest
objects in the cluster and create users for each with specific permissions.
The benefits of mint mode include:
- Each cluster component has only the permissions it requires
- Automatic, on-going reconciliation for cloud credentials, including additional credentials or permissions that might be required for upgrades
One drawback is that mint mode requires admin
credential storage in a cluster kube-system
secret.
9.3.4. Mode Mint avec suppression ou rotation des informations d'identification au niveau de l'administrateur
Actuellement, ce mode n'est pris en charge que sur AWS et GCP.
Dans ce mode, un utilisateur installe OpenShift Container Platform avec un credential de niveau administrateur comme dans le mode normal mint. Cependant, ce processus supprime le secret d'accès de niveau administrateur du cluster après l'installation.
L'administrateur peut demander au Cloud Credential Operator de faire sa propre demande d'autorisation en lecture seule, ce qui lui permet de vérifier si tous les objets CredentialsRequest
ont les autorisations requises. L'autorisation au niveau de l'administrateur n'est donc pas nécessaire, à moins que quelque chose doive être modifié. Une fois que le justificatif d'identité associé est supprimé, il peut être supprimé ou désactivé sur le nuage sous-jacent, si on le souhaite.
Avant une mise à niveau sans z-stream, vous devez rétablir le secret d'authentification avec l'authentification de niveau administrateur. Si l'identifiant n'est pas présent, la mise à niveau risque d'être bloquée.
Les informations d'identification au niveau de l'administrateur ne sont pas stockées de manière permanente dans le cluster.
En suivant ces étapes, il est toujours nécessaire d'avoir des informations d'identification de niveau administrateur dans le cluster pendant de brèves périodes. Il faut également réinstaurer manuellement le secret avec les informations d'identification de niveau administrateur pour chaque mise à niveau.
9.3.5. Prochaines étapes
Install an OpenShift Container Platform cluster:
- Installing a cluster quickly on GCP with default options on installer-provisioned infrastructure
- Install a cluster with cloud customizations on installer-provisioned infrastructure
- Install a cluster with network customizations on installer-provisioned infrastructure