Azure Workload Identity #1301
Azure Workload Identity #1301
Conversation
|
cc @2uasimojo |
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com>
Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com>
Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com>
Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com>
|
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com>
|
After meeting with MSFT there are some aspects of managed cluster identities that we'll need to consider to make sure that this proposal fits for managed/standalone. In particular there could be a chicken and egg problem where we need to scope the permissions granted to the identity within boundaries that don't exist yet or within the network where we couldn't simply scope the identity to the subscription in a managed setting. Will hold off on pinging reviewers based on this feedback while we research this. |
|
There is an enhancement to support tagging of azure resources created by Openshift and identities created as part of this enhancement may need to support tags. Can ccoctl be enhanced to add tags to the created azure resources? |
|
@bharath-b-rh These identity resources will be created by |
|
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
|
Stale enhancement proposals rot after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle rotten |
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
| The resource group in which the installer will create infrastructure will not be known when these secrets are generated by `ccoctl` ahead of installation and operators which rely on `azure_resourcegroup` and `azure_resource_prefix` such as the | ||
| [image-registry](https://github.com/openshift/cluster-image-registry-operator/blob/8556fd48027f89e19daad36e280b60eb93d012d4/pkg/storage/azure/azure.go#L95-L100) should obtain the resource group details from the cluster `Infrastructure` object instead. |
There was a problem hiding this comment.
How are OpenShift operators with Azure SDKs consuming the credentials today? I assume the operator is configuring the SDK client based on the contents of the secret vs the SDK reading the secret as a configuration? I assume its the former?
| In order to create Azure clients which utilize a `ClientAssertionCredential`, operators must update to version `>= v1.2.0` of the azidentity package within [azure-sdk-for-go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.2.0). Ahead of this work, due to the [end of life | ||
| announcement](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454) of the Azure Active Directory Authentication Library (ADAL), PRs (ex. [openshift/cluster-ingress-operator](https://github.com/openshift/cluster-ingress-operator/pull/846)) have been opened for operators to migrate to creating clients via | ||
| azidentity which are converted into an authorizer for use with v1 clients. Once these changes have been made, we propose that OpenShift operators continue to utilize a config secret to obtain authentication details as described in the previous section but create workload identity clients when the `azure_client_secret` is absent and when `azure_federated_token_file` fields are found in the |
There was a problem hiding this comment.
I think this answers my question above on how operators configure credentials. They are configuring the SDK by reading the secret.
There was a problem hiding this comment.
Correct, today we have service principal details in the secret and operators (rather than the SDK) read that secret and configure the SDK.
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
* Add note about using the TechPreviewNoUpgrade feature gate. * Fill out support scenarios.
|
|
||
| ##### How to detect that operator credentials are incorrect / insufficient? | ||
|
|
||
| Operators will be degraded when credentials are insufficient / incorrect because operators will be unable to authenticate using the provided credentials or the permissions granted to the associated identity were insufficient. CCO will not monitor the state of the credentials on-cluster because CCO will be disabled based on clusters operating in `manual` credentials mode. |
There was a problem hiding this comment.
Please add commitment to test this. I don't think that all operators do this automatically.
There was a problem hiding this comment.
https://issues.redhat.com/browse/CCO-370
As an openshift developer I need to know that my operator goes degraded if the Azure Managed Identity is insufficient or incorrect so that my operator is admin friendly in clusters that leverage Azure Managed Identity.
Acceptance criteria:
Serial test that picks a random operator of those identified and updates it to use an invalid role reference, verify the operator goes Degraded in a timely manner. Revert, confirm return to Degraded=False
Serial test that picks a random operator of those identified and updates it to use a role with insufficient permissions (null or otherwise). Revert, confirm return to Degraded=False
@deads2k sound good?
enhancements/cloud-integration/azure/azure-workload-identity.md
Outdated
Show resolved
Hide resolved
dfb719c to
1de46ee
Compare
|
@abutcher: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sdodson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@sdodson LGTM |
|
/hold cancel |
No description provided.