The cloud credential operator is a controller that will sync on CredentialsRequest custom resources. CredentialsRequests allow OpenShift components to request fine-grained credentials for a particular cloud provider (as opposed to using the admin credentials, or elevated permissions granted via instance roles).
Currently the operator supports AWS, Azure, GCP, KubeVirt, OpenStack. oVirt and VMWare.
Each cloud provider utilizes a credentials root secret in the kube-system namespace (by convention), which is then used to satisfy all CredentialsRequests and create their respective Secrets. (either by minting new credentials (mint mode), or by copying the credentials root secret (passthrough mode))
The format for the secret varies by cloud, and is also used for each CredentialsRequest Secret.
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: aws-creds
data:
aws_access_key_id: Base64encodeAccessKeyID
aws_secret_access_key: Base64encodeSecretAccessKey
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: azure-credentials
data:
azure_subscription_id: Base64encodeSubscriptionID
azure_client_id: Base64encodeClientID
azure_client_secret: Base64encodeClientSecret
azure_tenant_id: Base64encodeTenantID
azure_resource_prefix: Base64encodeResourcePrefix
azure_resourcegroup: Base64encodeResourceGroup
azure_region: Base64encodeRegion
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: gcp-credentials
data:
service_account.json: Base64encodeServiceAccount
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: kubevirt-credentials
data:
kubeconfig: Base64encodeKubeconfig
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: openstack-credentials
data:
clouds.yaml: Base64encodeCloudCreds
clouds.conf: Base64encodeCloudCredsINI
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: ovirt-credentials
data:
ovirt_url: Base64encodeURL
ovirt_username: Base64encodeUsername
ovirt_password: Base64encodePassword
ovirt_insecure: Base64encodeInsecure
ovirt_ca_bundle: Base64encodeCABundle
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: vsphere-creds
data:
{{VCenter.username}}: Base64encodeUsername
{{VCenter.password}}: Base64encodePassword
Source of templates:
The default and recommended best practice for running OpenShift is to run the installer with an admin level cloud credential. The admin credential is stored in kube-system namespace and then used by the cloud credential operator to process the CredentialRequests in the cluster and create new users for each with fine grained permissions.
Pros:
Cons:
Supported clouds: AWS, GCP
In this mode a user installs OpenShift with an admin credential per the normal mint mode, but removes the admin credential Secret from the cluster after installation. The cloud credential operator makes its own request for a read-only credential that allows it to verify if all CredentialsRequests have their required permissions, thus the admin credential is not needed unless something needs to be changed (e.g. on upgrade). Once removed the associated credential could then be destroyed on the underlying cloud if desired.
Prior to upgrade, the admin credential should be restored. In the future upgrade may be blocked if the credential is not present (see the Secret formats above).
Pros:
Cons:
Supported clouds: AWS, GCP
In this mode a user installs OpenShift with a single credential that is not an admin and cannot mint additional credentials, but itself has enough permissions to perform the installation as well as all operations needed by all components in the cluster. The cloud credential operator then shares this credential to each component.
Your passthrough mode credential will need to be manually maintained if CredentialsRequests change over time as the cluster is upgraded. This should be checked prior to every upgrade, and in the future you may be required to confirm you have done so if a change in CredentialsRequests is detected.
By default the permissions needed only for installation are required, however it is possible to reduce the permissions on your credential after install to just what is needed to run the cluster (as defined by the CredentialsRequests in the current release image). See the secret formats above for details on how to do this.
Pros:
Cons:
Supported clouds: AWS, GCP, Azure, VMWare, OpenStack, oVirt, KubeVirt
In this mode a user manually performs the job of the cloud credential operator. This requires examining the CredentialsRequests in an OpenShift 4 release image, creating credentials in the underlying cloud provider, and finally creating Kubernetes Secrets in the correct namespaces to satisfy all CredentialsRequests for the cluster's cloud provider.
Pros:
Cons:
Supported clouds: AWS
OpenShift can be configured to use short-lived credentials for different in-cluster components. It enables an authentication flow allowing a component to assume a cloud role resulting in short-lived credentials. It also automates requesting and refreshing of credentials using an OpenID Connect (OIDC) Identity Provider. OpenShift can sign ServiceAccount tokens trusted by the OIDC provider, which can be projected into a Pod and used for authentication.
Pros:
Cons:
Read more about supported clouds by clicking on the links below:
Cloud | Mint | Mint + Remove Admin Cred | Passthrough | Manual | Token |
---|---|---|---|---|---|
AWS | Y | 4.4+ | Y | 4.3+ | 4.8+ |
Azure | N1 | N | Y | Y | 4.14+ |
GCP | Y | 4.7+ | Y | Y | 4.10+ |
IBMCloud | N | N | N | Y | N |
KubeVirt | N | N | Y | N | N |
Nutanix | N | N | N | Y | N |
OpenStack | N | N | Y | N | N |
oVirt | N | N | Y | N | N |
VMWare | N | N | Y | N | N |
1 Mint mode was previously supported, but with the sunsetting of the Azure Active Directory Graph API, Mint mode support on Azure has since been removed.
Login to a cluster with admin credentials:
$ make install
$ make run
NOTE: To keep the in-cluster versions of the code from conflicting with your local copy, you should scale down the deployments for cloud-credential-operator and cluster-version-operator
$ kubectl scale -n openshift-cluster-version deployment.v1.apps/cluster-version-operator --replicas=0
$ kubectl scale -n openshift-cloud-credential-operator deployment.v1.apps/cloud-credential-operator --replicas=0
As an alternative to disabling the cluster verison operator entirely, you can add the CCO Deployment as an unmanaged object into the clusterversion resource:
spec:
overrides:
- kind: Deployment
group: apps/v1
name: cloud-credential-operator
namespace: openshift-cloud-credential-operator
unmanaged: true
export IMG=quay.io/dgoodwin/cloud-credential-operator:latest
make buildah-push
make deploy
Cred Minter should now be running in the openshift-cloud-credential-operator
namespace.
The primary custom resource used by this operator is the CredentialsRequest, which allows cluster components to request fine-grained credentials.
A CredentialRequest spec consists of:
secretRef
- Points to the secret where the credentials should be stored once generated. Can be in a separate namespace from the CredentialsRequest where it can be used by pods. If that namespace does not yet exist, the controller will immediately sync when it is created.providerSpec
- Contains the cloud provider specific credentials specification.Once created, assuming admin credentials are available, the controller will provision e.g. a user, access key, and user policy in AWS. The access and secret key will be stored in the target secret specified above.
You can freely edit a CredentialsRequest to adjust permissions and the controller will reconcile those changes out to the respective user policy (assuming valid admin credentials still exist).
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: openshift-image-registry
namespace: openshift-cloud-credential-operator
spec:
secretRef:
name: installer-cloud-credentials
namespace: openshift-image-registry
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- effect: Allow
action:
- s3:CreateBucket
- s3:DeleteBucket
resource: "*"
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: openshift-image-registry
namespace: openshift-cloud-credential-operator
spec:
secretRef:
name: installer-cloud-credentials
namespace: openshift-image-registry
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AzureProviderSpec
roleBindings:
- role: Storage Account Contributor
- role: Storage Blob Data Contributor
List of Azure built-in roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Please refer this documentation for adding a new provider.
openshift-cloud-credential-operator
namespace.