Manually creating IAM for Azure
In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system
namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.
Alternatives to storing administrator-level secrets in the kube-system project
The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the credentialsMode
parameter in the install-config.yaml
file.
If you prefer not to store an administrator-level credential secret in the cluster kube-system
project, you can set the credentialsMode
parameter for the CCO to Manual
when installing OKD and manage your cloud credentials manually.
Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.
Additional resources
- For a detailed description of all available CCO credential modes and their supported platforms, see About the Cloud Credential Operator.
Manually create IAM
The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system
namespace.
Procedure
Change to the directory that contains the installation program and create the
install-config.yaml
file:$ openshift-install create install-config --dir <installation_directory>
where
<installation_directory>
is the directory in which the installation program creates files.Edit the
install-config.yaml
configuration file so that it contains thecredentialsMode
parameter set toManual
.Example
install-config.yaml
configuration fileapiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual (1)
compute:
- architecture: amd64
hyperthreading: Enabled
...
1 This line is added to set the credentialsMode
parameter toManual
.Generate the manifests by running the following command from the directory that contains the installation program:
$ openshift-install create manifests --dir <installation_directory>
where:
<installation_directory>
Specifies the directory in which the installation program creates files.
From the directory that contains the installation program, obtain details of the OKD release image that your
openshift-install
binary is built to use:$ openshift-install version
Example output
release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64
Locate all
CredentialsRequest
objects in this release image that target the cloud you are deploying on:$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure
This command creates a YAML file for each
CredentialsRequest
object.Sample
CredentialsRequest
objectapiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
labels:
controller-tools.k8s.io: "1.0"
name: openshift-image-registry-azure
namespace: openshift-cloud-credential-operator
spec:
secretRef:
name: installer-cloud-credentials
namespace: openshift-image-registry
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AzureProviderSpec
roleBindings:
- role: Contributor
Create YAML files for secrets in the
openshift-install
manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in thespec.secretRef
for eachCredentialsRequest
object.The release image includes
CredentialsRequest
objects for Technology Preview features that are enabled by theTechPreviewNoUpgrade
feature set. You can identify these objects by their use of therelease.openshift.io/feature-set: TechPreviewNoUpgrade
annotation.If you are not using any of these features, do not create secrets for these objects. Creating secrets for Technology Preview features that you are not using can cause the installation to fail.
If you are using any of these features, you must create secrets for the corresponding objects.
To find
CredentialsRequest
objects with theTechPreviewNoUpgrade
annotation, run the following command:$ grep "release.openshift.io/feature-set" *
Example output
0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-set: TechPreviewNoUpgrade
From the directory that contains the installation program, proceed with your cluster creation:
$ openshift-install create cluster --dir <installation_directory>
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
Additional resources
Next steps
Install an OKD cluster:
Installing a cluster quickly on Azure with default options on installer-provisioned infrastructure
Install a cluster with cloud customizations on installer-provisioned infrastructure
Install a cluster with network customizations on installer-provisioned infrastructure