$ openshift-install create manifests --dir=mycluster
The Cloud Credential Operator can be put into manual mode prior to installation
in environments where the cloud identity and access management (IAM) APIs are
not reachable, or the administrator prefers not to store an administrator-level
credential secret in the cluster kube-system
namespace.
Run the OpenShift Container Platform installer to generate manifests:
$ openshift-install create manifests --dir=mycluster
Insert a config map into the manifests directory so that the Cloud Credential Operator is placed in manual mode:
$ cat <<EOF > mycluster/manifests/cco-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-credential-operator-config
namespace: openshift-cloud-credential-operator
annotations:
release.openshift.io/create-only: "true"
data:
disabled: "true"
EOF
Remove the admin
credential secret created using your local cloud credentials.
This removal prevents your admin
credential from being stored in the cluster:
$ rm mycluster/openshift/99_cloud-creds-secret.yaml
Obtain the OpenShift Container Platform release image your openshift-install
binary is built
to use:
$ bin/openshift-install version
release image quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64
Locate all CredentialsRequest
objects in this release image that target the cloud you
are deploying on:
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64 --to ./release-image
Locate the CredentialsRequests
in the extracted file:
$ grep -l "apiVersion: cloudcredential.openshift.io" * | xargs cat
In a future OpenShift Container Platform release, there will be a new |
This displays the details for each request. Remember to ignore any
CredentialsRequests
where the spec.providerSpec.kind
does not match the cloud
provider you are installing to.
CredentialsRequest
objectapiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: cloud-credential-operator-iam-ro
namespace: openshift-cloud-credential-operator
spec:
secretRef:
name: cloud-credential-operator-iam-ro-creds
namespace: openshift-cloud-credential-operator
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- effect: Allow
action:
- iam:GetUser
- iam:GetUserPolicy
- iam:ListAccessKeys
resource: "*"
Create YAML files for secrets in the openshift-install
manifests directory
that you generated previously. The secrets must be stored using the namespace
and secret name defined in each request.spec.secretRef
. The format for the
secret data varies for each cloud provider.
Proceed with cluster creation:
$ openshift-install create cluster --dir=mycluster
Before performing an upgrade, you might need to adjust your credentials if permissions have changed in the next release. In the future, the Cloud Credential Operator might prevent you from upgrading until you have indicated that you have addressed updated permissions. |
Each cloud provider uses a credentials root secret in the kube-system
namespace by convention, which is then used to satisfy all credentials requests
and create their respective secrets. This is done either by minting new
credentials, Mint Mode, or by copying the credentials root secret,
Passthrough Mode.
The format for the secret varies by cloud, and is also used for each
CredentialsRequest
secret.
apiVersion: v1
kind: secret
metadata:
namespace: kube-system
name: aws-creds
stringData:
aws_access_key_id: <AccessKeyID>
aws_secret_access_key: <secretAccessKey>
Mint Mode is supported for AWS, GCP, and Azure.
The default and recommended best practice for running OpenShift Container Platform is to run
the installer with an administrator-level cloud credential. The admin
credential is
stored in the kube-system
namespace, and then used by the Cloud Credential
Operator to process the CredentialsRequest
objects in the cluster and create new users
for each with specific permissions.
The benefits of Mint Mode include:
Each cluster component only has the permissions it requires.
Automatic, on-going reconciliation for cloud credentials including upgrades, which might require additional credentials or permissions.
One drawback is that Mint Mode requires admin
credential storage in a cluster
kube-system
secret.
Currently, this mode is only supported on AWS.
In this mode, a user installs OpenShift Container Platform with an admin
credential just
like the normal mint mode. However, this mode removes the admin
credential
secret from the cluster post-installation.
The administrator can have the Cloud Credential Operator make its own request
for a read-only credential that allows it to verify if all CredentialsRequest
objects
have their required permissions, thus the admin
credential is not required
unless something needs to be changed. After the associated credential is
removed, it can be destroyed on the underlying cloud, if desired.
Prior to upgrade, the admin
credential should be restored. In the future,
upgrade might be blocked if the credential is not present.
The admin
credential is not stored in the cluster permanently.
This mode still requires the admin
credential in the cluster for brief periods
of time. It also requires manually re-instating the secret with admin
credentials for each upgrade.