2.2. Manually creating IAM for AWS
2.2.1. Manually create IAM
The Cloud Credential Operator can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
Procedure
Run the OpenShift Container Platform installer to generate manifests:
$ openshift-install create manifests --dir=mycluster
Insert a config map into the manifests directory so that the Cloud Credential Operator is placed in manual mode:
$ cat <<EOF > mycluster/manifests/cco-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: cloud-credential-operator-config namespace: openshift-cloud-credential-operator annotations: release.openshift.io/create-only: "true" data: disabled: "true" EOFRemove the
admincredential secret created using your local cloud credentials. This removal prevents youradmincredential from being stored in the cluster:$ rm mycluster/openshift/99_cloud-creds-secret.yaml
Obtain the OpenShift Container Platform release image your
openshift-installbinary is built to use:$ bin/openshift-install version
Example output
release image quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64
Locate all
CredentialsRequestobjects in this release image that target the cloud you are deploying on:$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64 --to ./release-image
Locate the
CredentialsRequestsin the extracted file:$ grep -l "apiVersion: cloudcredential.openshift.io" * | xargs cat
注意In a future OpenShift Container Platform release, there will be a new
oc adm releasecommand to scan for theCredentialsRequestsand display them.This displays the details for each request. Remember to ignore any
CredentialsRequestswhere thespec.providerSpec.kinddoes not match the cloud provider you are installing to.Sample
CredentialsRequestobjectapiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: cloud-credential-operator-iam-ro namespace: openshift-cloud-credential-operator spec: secretRef: name: cloud-credential-operator-iam-ro-creds namespace: openshift-cloud-credential-operator providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AWSProviderSpec statementEntries: - effect: Allow action: - iam:GetUser - iam:GetUserPolicy - iam:ListAccessKeys resource: "*"-
Create YAML files for secrets in the
openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in eachrequest.spec.secretRef. The format for the secret data varies for each cloud provider. Proceed with cluster creation:
$ openshift-install create cluster --dir=mycluster
重要Before performing an upgrade, you might need to adjust your credentials if permissions have changed in the next release. In the future, the Cloud Credential Operator might prevent you from upgrading until you have indicated that you have addressed updated permissions.
2.2.2. Admin credentials root secret format
Each cloud provider uses a credentials root secret in the kube-system namespace by convention, which is then used to satisfy all credentials requests and create their respective secrets. This is done either by minting new credentials, Mint Mode, or by copying the credentials root secret, Passthrough Mode.
The format for the secret varies by cloud, and is also used for each CredentialsRequest secret.
Amazon Web Services (AWS) secret format
apiVersion: v1 kind: Secret metadata: namespace: kube-system name: aws-creds stringData: aws_access_key_id: <AccessKeyID> aws_secret_access_key: <SecretAccessKey>
2.2.2.1. Upgrades
In a future release, improvements to the Cloud Credential Operator will prevent situations where a user might enter an upgrade that will fail because their manually maintained credentials have not been updated to match the CredentialsRequest objects in the upcoming release image.
2.2.3. Mint Mode
Mint Mode is supported for AWS, GCP, and Azure.
The default and recommended best practice for running OpenShift Container Platform is to run the installer with an administrator-level cloud credential. The admin credential is stored in the kube-system namespace, and then used by the Cloud Credential Operator to process the CredentialsRequest objects in the cluster and create new users for each with specific permissions.
The benefits of Mint Mode include:
- Each cluster component only has the permissions it requires.
- Automatic, on-going reconciliation for cloud credentials including upgrades, which might require additional credentials or permissions.
One drawback is that Mint Mode requires admin credential storage in a cluster kube-system secret.
2.2.4. Mint Mode with removal or rotation of the admin credential
Currently, this mode is only supported on AWS.
In this mode, a user installs OpenShift Container Platform with an admin credential just like the normal mint mode. However, this mode removes the admin credential secret from the cluster post-installation.
The administrator can have the Cloud Credential Operator make its own request for a read-only credential that allows it to verify if all CredentialsRequest objects have their required permissions, thus the admin credential is not required unless something needs to be changed. After the associated credential is removed, it can be destroyed on the underlying cloud, if desired.
Prior to upgrade, the admin credential should be restored. In the future, upgrade might be blocked if the credential is not present.
The admin credential is not stored in the cluster permanently.
This mode still requires the admin credential in the cluster for brief periods of time. It also requires manually re-instating the secret with admin credentials for each upgrade.
