Using manual mode with Amazon Web Services Secure Token Service
Manual mode with STS is supported for Amazon Web Services (AWS).
This credentials strategy is supported for only new OKD clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature. |
About manual mode with AWS Secure Token Service
In manual mode with STS, the individual OKD cluster components use AWS Secure Token Service (STS) to assign components IAM roles that provide short-term, limited-privilege security credentials. These credentials are associated with IAM roles that are specific to each component that makes AWS API calls.
Requests for new and refreshed credentials are automated by using an appropriately configured AWS IAM OpenID Connect (OIDC) identity provider, combined with AWS IAM roles. OKD signs service account tokens that are trusted by AWS IAM, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour.
Figure 1. STS authentication flow
Using manual mode with STS changes the content of the AWS credentials that are provided to individual OKD components.
AWS secret format using long-lived credentials
apiVersion: v1
kind: Secret
metadata:
namespace: <target-namespace> (1)
name: <target-secret-name> (2)
data:
aws_access_key_id: <base64-encoded-access-key-id>
aws_secret_access_key: <base64-encoded-secret-access-key>
1 | The namespace for the component. |
2 | The name of the component secret. |
AWS secret format with STS
apiVersion: v1
kind: Secret
metadata:
namespace: <target-namespace> (1)
name: <target-secret-name> (2)
stringData:
credentials: |-
[default]
sts_regional_endpoints = regional
role_name: <operator-role-name> (3)
web_identity_token_file: <path-to-token> (4)
1 | The namespace for the component. |
2 | The name of the component secret. |
3 | The IAM role for the component. |
4 | The path to the service account token inside the pod. By convention, this is /var/run/secrets/openshift/serviceaccount/token for OKD components. |
Installing an OKD cluster configured for manual mode with STS
To install a cluster that is configured to use the Cloud Credential Operator (CCO) in manual mode with STS:
Create the required AWS resources individually, or with a single command.
Because the cluster is operating in manual mode when using STS, it is not able to create new credentials for components with the permissions that they require. When upgrading to a different minor version of OKD, there are often new AWS permission requirements. Before upgrading a cluster that is using STS, the cluster administrator must manually ensure that the AWS permissions are sufficient for existing components and available to any new components. |
Configuring the Cloud Credential Operator utility
To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode with STS, extract and prepare the CCO utility (ccoctl
) binary.
The |
Prerequisites
You have created an AWS account for the
ccoctl
to use with the following permissions:Table 1. Required AWS permissions iam
permissionss3
permissionsiam:CreateOpenIDConnectProvider
iam:CreateRole
iam:DeleteOpenIDConnectProvider
iam:DeleteRole
iam:DeleteRolePolicy
iam:GetOpenIDConnectProvider
iam:GetRole
iam:GetUser
iam:ListOpenIDConnectProviders
iam:ListRolePolicies
iam:ListRoles
iam:PutRolePolicy
iam:TagOpenIDConnectProvider
iam:TagRole
s3:CreateBucket
s3:DeleteBucket
s3:DeleteObject
s3:GetBucketAcl
s3:GetBucketTagging
s3:GetObject
s3:GetObjectAcl
s3:GetObjectTagging
s3:ListBucket
s3:PutBucketAcl
s3:PutBucketTagging
s3:PutObject
s3:PutObjectAcl
s3:PutObjectTagging
Procedure
Obtain the OKD release image by running the following command:
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
Obtain the CCO container image from the OKD release image by running the following command:
$ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)
Ensure that the architecture of the
$RELEASE_IMAGE
matches the architecture of the environment in which you will use theccoctl
tool.Extract the
ccoctl
binary from the CCO container image within the OKD release image by running the following command:$ oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
Change the permissions to make
ccoctl
executable by running the following command:$ chmod 775 ccoctl
Verification
To verify that
ccoctl
is ready to use, display the help file by running the following command:$ ccoctl --help
Output of
ccoctl --help
:OpenShift credentials provisioning tool
Usage:
ccoctl [command]
Available Commands:
alibabacloud Manage credentials objects for alibaba cloud
aws Manage credentials objects for AWS cloud
gcp Manage credentials objects for Google cloud
help Help about any command
ibmcloud Manage credentials objects for IBM Cloud
nutanix Manage credentials objects for Nutanix
Flags:
-h, --help help for ccoctl
Use "ccoctl [command] --help" for more information about a command.
Creating AWS resources with the Cloud Credential Operator utility
You can use the CCO utility (ccoctl
) to create the required AWS resources individually, or with a single command.
Creating AWS resources individually
If you need to review the JSON files that the ccoctl
tool creates before modifying AWS resources, or if the process the ccoctl
tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. For example, this option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
Otherwise, you can use the ccoctl aws create-all
command to create the AWS resources automatically.
By default, Some |
Prerequisites
- Extract and prepare the
ccoctl
binary.
Procedure
Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster:
$ ccoctl aws create-key-pair
Example output:
2021/04/13 11:01:02 Generating RSA keypair
2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private
2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public
2021/04/13 11:01:03 Copying signing key for use by installer
where
serviceaccount-signer.private
andserviceaccount-signer.public
are the generated key files.This command also creates a private key that the cluster requires during installation in
/<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key
.Create an OpenID Connect identity provider and S3 bucket on AWS:
$ ccoctl aws create-identity-provider \
--name=<name> \
--region=<aws_region> \
--public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public
where:
<name>
is the name used to tag any cloud resources that are created for tracking.<aws-region>
is the AWS region in which cloud resources will be created.<path_to_ccoctl_output_dir>
is the path to the public key file that theccoctl aws create-key-pair
command generated.
Example output:
2021/04/13 11:16:09 Bucket <name>-oidc created
2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated
2021/04/13 11:16:10 Reading public key
2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated
2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com
where
openid-configuration
is a discovery document andkeys.json
is a JSON web key set file.This command also creates a YAML configuration file in
/<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml
. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.Create IAM roles for each component in the cluster.
Extract the list of
CredentialsRequest
objects from the OKD release image:$ oc adm release extract --credentials-requests \
--cloud=aws \
--to=<path_to_directory_with_list_of_credentials_requests>/credrequests (1)
--from=quay.io/<path_to>/ocp-release:<version>
1 credrequests
is the directory where the list ofCredentialsRequest
objects is stored. This command creates the directory if it does not exist.If your cluster uses cluster capabilities to disable one or more optional components, delete the
CredentialsRequest
custom resources for any disabled components.Example
credrequests
directory contents for OKD 4.12 on AWS0000_30_machine-api-operator_00_credentials-request.yaml (1)
0000_50_cloud-credential-operator_05-iam-ro-credentialsrequest.yaml (2)
0000_50_cluster-image-registry-operator_01-registry-credentials-request.yaml (3)
0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml (4)
0000_50_cluster-network-operator_02-cncc-credentials.yaml (5)
0000_50_cluster-storage-operator_03_credentials_request_aws.yaml (6)
1 The Machine API Operator CR is required. 2 The Cloud Credential Operator CR is required. 3 The Image Registry Operator CR is required. 4 The Ingress Operator CR is required. 5 The Network Operator CR is required. 6 The Storage Operator CR is an optional component and might be disabled in your cluster. Use the
ccoctl
tool to process allCredentialsRequest
objects in thecredrequests
directory:$ ccoctl aws create-iam-roles \
--name=<name> \
--region=<aws_region> \
--credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests \
--identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com
For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the
—region
parameter.If your cluster uses Technology Preview features that are enabled by the
TechPreviewNoUpgrade
feature set, you must include the—enable-tech-preview
parameter.For each
CredentialsRequest
object,ccoctl
creates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in eachCredentialsRequest
object from the OKD release image.
Verification
To verify that the OKD secrets are created, list the files in the
<path_to_ccoctl_output_dir>/manifests
directory:$ ll <path_to_ccoctl_output_dir>/manifests
Example output:
total 24
-rw-------. 1 <user> <user> 161 Apr 13 11:42 cluster-authentication-02-config.yaml
-rw-------. 1 <user> <user> 379 Apr 13 11:59 openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds-credentials.yaml
-rw-------. 1 <user> <user> 353 Apr 13 11:59 openshift-cluster-csi-drivers-ebs-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 355 Apr 13 11:59 openshift-image-registry-installer-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 339 Apr 13 11:59 openshift-ingress-operator-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 337 Apr 13 11:59 openshift-machine-api-aws-cloud-credentials-credentials.yaml
You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles.
Creating AWS resources with a single command
If you do not need to review the JSON files that the ccoctl
tool creates before modifying AWS resources, and if the process the ccoctl
tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all
command to automate the creation of AWS resources.
Otherwise, you can create the AWS resources individually.
By default, |
Prerequisites
You must have:
- Extracted and prepared the
ccoctl
binary.
Procedure
Extract the list of
CredentialsRequest
objects from the OKD release image:$ oc adm release extract \
--credentials-requests \
--cloud=aws \
--to=<path_to_directory_with_list_of_credentials_requests>/credrequests \ (1)
--from=quay.io/<path_to>/ocp-release:<version>
1 credrequests
is the directory where the list ofCredentialsRequest
objects is stored. This command creates the directory if it does not exist.This command can take a few moments to run.
If your cluster uses cluster capabilities to disable one or more optional components, delete the
CredentialsRequest
custom resources for any disabled components.Example
credrequests
directory contents for OKD 4.12 on AWS0000_30_machine-api-operator_00_credentials-request.yaml (1)
0000_50_cloud-credential-operator_05-iam-ro-credentialsrequest.yaml (2)
0000_50_cluster-image-registry-operator_01-registry-credentials-request.yaml (3)
0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml (4)
0000_50_cluster-network-operator_02-cncc-credentials.yaml (5)
0000_50_cluster-storage-operator_03_credentials_request_aws.yaml (6)
1 The Machine API Operator CR is required. 2 The Cloud Credential Operator CR is required. 3 The Image Registry Operator CR is required. 4 The Ingress Operator CR is required. 5 The Network Operator CR is required. 6 The Storage Operator CR is an optional component and might be disabled in your cluster. Use the
ccoctl
tool to process allCredentialsRequest
objects in thecredrequests
directory:$ ccoctl aws create-all \
--name=<name> \(1)
--region=<aws_region> \(2)
--credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests \(3)
--output-dir=<path_to_ccoctl_output_dir> \(4)
--create-private-s3-bucket (5)
1 Specify the name used to tag any cloud resources that are created for tracking. 2 Specify the AWS region in which cloud resources will be created. 3 Specify the directory containing the files for the component CredentialsRequest
objects.4 Optional: Specify the directory in which you want the ccoctl
utility to create objects. By default, the utility creates objects in the directory in which the commands are run.5 Optional: By default, the ccoctl
utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the—create-private-s3-bucket
parameter.If your cluster uses Technology Preview features that are enabled by the
TechPreviewNoUpgrade
feature set, you must include the—enable-tech-preview
parameter.
Verification
To verify that the OKD secrets are created, list the files in the
<path_to_ccoctl_output_dir>/manifests
directory:$ ls <path_to_ccoctl_output_dir>/manifests
Example output:
cluster-authentication-02-config.yaml
openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds-credentials.yaml
openshift-cluster-csi-drivers-ebs-cloud-credentials-credentials.yaml
openshift-image-registry-installer-cloud-credentials-credentials.yaml
openshift-ingress-operator-cloud-credentials-credentials.yaml
openshift-machine-api-aws-cloud-credentials-credentials.yaml
You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles.
Running the installer
Prerequisites
Configure an account with the cloud platform that hosts your cluster.
Obtain the OKD release image.
Procedure
Change to the directory that contains the installation program and create the
install-config.yaml
file:$ openshift-install create install-config --dir <installation_directory>
where
<installation_directory>
is the directory in which the installation program creates files.Edit the
install-config.yaml
configuration file so that it contains thecredentialsMode
parameter set toManual
.Example
install-config.yaml
configuration fileapiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual (1)
compute:
- architecture: amd64
hyperthreading: Enabled
1 This line is added to set the credentialsMode
parameter toManual
.Create the required OKD installation manifests:
$ openshift-install create manifests
Copy the manifests that
ccoctl
generated to the manifests directory that the installation program created:$ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/
Copy the private key that the
ccoctl
generated in thetls
directory to the installation directory:$ cp -a /<path_to_ccoctl_output_dir>/tls .
Run the OKD installer:
$ ./openshift-install create cluster
Verifying the installation
Connect to the OKD cluster.
Verify that the cluster does not have
root
credentials:$ oc get secrets -n kube-system aws-creds
The output should look similar to:
Error from server (NotFound): secrets "aws-creds" not found
Verify that the components are assuming the IAM roles that are specified in the secret manifests, instead of using credentials that are created by the CCO:
Example command with the Image Registry Operator
$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o json | jq -r .data.credentials | base64 --decode
The output should show the role and web identity token that are used by the component and look similar to:
Example output with the Image Registry Operator
[default]
role_arn = arn:aws:iam::123456789:role/openshift-image-registry-installer-cloud-credentials
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
Upgrading an OKD cluster configured for manual mode with STS
The release image for the version of OKD that you are upgrading to contains a version of the ccoctl
binary and list of CredentialsRequest
objects specific to that release.
Configuring the Cloud Credential Operator utility
To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode with STS, extract and prepare the CCO utility (ccoctl
) binary.
The |
Prerequisites
You have created an AWS account for the
ccoctl
to use with the following permissions:Table 2. Required AWS permissions iam
permissionss3
permissionsiam:CreateOpenIDConnectProvider
iam:CreateRole
iam:DeleteOpenIDConnectProvider
iam:DeleteRole
iam:DeleteRolePolicy
iam:GetOpenIDConnectProvider
iam:GetRole
iam:GetUser
iam:ListOpenIDConnectProviders
iam:ListRolePolicies
iam:ListRoles
iam:PutRolePolicy
iam:TagOpenIDConnectProvider
iam:TagRole
s3:CreateBucket
s3:DeleteBucket
s3:DeleteObject
s3:GetBucketAcl
s3:GetBucketTagging
s3:GetObject
s3:GetObjectAcl
s3:GetObjectTagging
s3:ListBucket
s3:PutBucketAcl
s3:PutBucketTagging
s3:PutObject
s3:PutObjectAcl
s3:PutObjectTagging
Procedure
Obtain the OKD release image by running the following command:
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
Obtain the CCO container image from the OKD release image by running the following command:
$ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)
Ensure that the architecture of the
$RELEASE_IMAGE
matches the architecture of the environment in which you will use theccoctl
tool.Extract the
ccoctl
binary from the CCO container image within the OKD release image by running the following command:$ oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
Change the permissions to make
ccoctl
executable by running the following command:$ chmod 775 ccoctl
Verification
To verify that
ccoctl
is ready to use, display the help file by running the following command:$ ccoctl --help
Output of
ccoctl --help
:OpenShift credentials provisioning tool
Usage:
ccoctl [command]
Available Commands:
alibabacloud Manage credentials objects for alibaba cloud
aws Manage credentials objects for AWS cloud
gcp Manage credentials objects for Google cloud
help Help about any command
ibmcloud Manage credentials objects for IBM Cloud
nutanix Manage credentials objects for Nutanix
Flags:
-h, --help help for ccoctl
Use "ccoctl [command] --help" for more information about a command.
Updating cloud provider resources with the Cloud Credential Operator utility
The process for upgrading an OKD cluster configured for manual mode with STS is similar to creating the cloud provider resources during installation.
By default, Some |
Prerequisites
Obtain the OKD release image for the version that you are upgrading to.
Extract and prepare the
ccoctl
binary from the release image.
Procedure
Extract the list of
CredentialsRequest
custom resources (CRs) from the OKD release image by running the following command:$ oc adm release extract --credentials-requests \
--cloud=aws \
--to=<path_to_directory_with_list_of_credentials_requests>/credrequests \ (1)
quay.io/<path_to>/ocp-release:<version>
1 credrequests
is the directory where the list ofCredentialsRequest
objects is stored. This command creates the directory if it does not exist.For each
CredentialsRequest
CR in the release image, ensure that a namespace that matches the text in thespec.secretRef.namespace
field exists in the cluster. This field is where the generated secrets that hold the credentials configuration are stored.Sample AWS
CredentialsRequest
objectapiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: cloud-credential-operator-iam-ro
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- effect: Allow
action:
- iam:GetUser
- iam:GetUserPolicy
- iam:ListAccessKeys
resource: "*"
secretRef:
name: cloud-credential-operator-iam-ro-creds
namespace: openshift-cloud-credential-operator (1)
1 This field indicates the namespace which needs to exist to hold the generated secret. For any
CredentialsRequest
CR for which the cluster does not already have a namespace with the name specified inspec.secretRef.namespace
, create the namespace by running the following command:$ oc create namespace <component_namespace>
Use the
ccoctl
tool to process allCredentialsRequest
objects in thecredrequests
directory by running the following command:$ ccoctl aws create-iam-roles \
--name=<name> \
--region=<aws_region> \
--credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests \
--identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<cluster_name>-oidc.s3.<aws_region>.amazonaws.com
where:
<name>
is the name used to tag any cloud resources that are created for tracking. For upgrades, use the same value that was used for the initial installation.<aws_account_id>
is the AWS account ID.<aws_region>
is the AWS region in which cloud resources will be created.<aws_account_id>
,<cluster_name>
, and<aws_region>
are standard elements of the Amazon Resource Name (ARN) for your cluster, provided here to illustrate the format of an ARN. You can obtain the ARN for your cluster’s identity provider from the Identity Providers menu in the AWS IAM console.
For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the
—region
parameter.If your cluster uses Technology Preview features that are enabled by the
TechPreviewNoUpgrade
feature set, you must include the—enable-tech-preview
parameter.For each
CredentialsRequest
object,ccoctl
creates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in eachCredentialsRequest
object from the OKD release image.Apply the secrets to your cluster by running the following command:
$ ls <path_to_ccoctl_output_dir>/manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
Verification
You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles.
Upgrading clusters with manually maintained credentials
The Cloud Credential Operator (CCO) Upgradable
status for a cluster with manually maintained credentials is False
by default.
For minor releases, for example, from 4.11 to 4.12, this status prevents you from upgrading until you have addressed any updated permissions and annotated the
CloudCredential
resource to indicate that the permissions are updated as needed for the next version. This annotation changes theUpgradable
status toTrue
.For z-stream releases, for example, from 4.12.0 to 4.12.1, no permissions are added or changed, so the upgrade is not blocked.
Before upgrading a cluster with manually maintained credentials, you must create any new credentials for the release image that you are upgrading to. Additionally, you must review the required permissions for existing credentials and accommodate any new permissions requirements in the new release for those components.
Procedure
Extract and examine the
CredentialsRequest
custom resource for the new release.The “Manually creating IAM” section of the installation content for your cloud provider explains how to obtain and use the credentials required for your cloud.
Update the manually maintained credentials on your cluster:
Create new secrets for any
CredentialsRequest
custom resources that are added by the new release image.If the
CredentialsRequest
custom resources for any existing credentials that are stored in secrets have changed their permissions requirements, update the permissions as required.
If your cluster uses cluster capabilities to disable one or more optional components, delete the
CredentialsRequest
custom resources for any disabled components.When all of the secrets are correct for the new release, indicate that the cluster is ready to upgrade:
Log in to the OKD CLI as a user with the
cluster-admin
role.Edit the
CloudCredential
resource to add anupgradeable-to
annotation within themetadata
field:$ oc edit cloudcredential cluster
Text to add
...
metadata:
annotations:
cloudcredential.openshift.io/upgradeable-to: <version_number>
...
Where
<version_number>
is the version you are upgrading to, in the formatx.y.z
. For example,4.8.2
for OKD 4.8.2.It may take several minutes after adding the annotation for the upgradeable status to change.
Verification
In the Administrator perspective of the web console, navigate to Administration → Cluster Settings.
To view the CCO status details, click cloud-credential in the Cluster Operators list.
- If the Upgradeable status in the Conditions section is False, verify that the
upgradeable-to
annotation is free of typographical errors. When the Upgradeable status in the Conditions section is True, you can begin the OKD upgrade.
- If the Upgradeable status in the Conditions section is False, verify that the