OSDOCS#5384: Document the explicit list of required credential permissions for Azure #56274
Conversation
openshift-ci
bot
added
the
size/S
|
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/13288 |
xenolinux
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
xenolinux
force-pushed
the
minm-required-permissions-azure
branch
from
2d89786
to
519c2d8
Compare
openshift-ci
bot
added
size/L
xenolinux
force-pushed
the
minm-required-permissions-azure
branch
3 times, most recently
from
bfa1b60
to
353b791
Compare
xenolinux
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
xenolinux
force-pushed
the
minm-required-permissions-azure
branch
11 times, most recently
from
caaaa02
to
80e4395
Compare
| [id="minimum-required-azure-permissions_{context}"] | ||
| = Required Azure permissions in installer-provisioned infrastructure | ||
|
|
||
| To deploy and destroy an {product-title} cluster with installer-provisioned infrastructure, the service account requires the following permissions. |
There was a problem hiding this comment.
Service Principal in-place of service account
| @@ -11,6 +11,4 @@ | |||
| * `User Access Administrator` | |||
| * `Owner` | |||
There was a problem hiding this comment.
This should be Contributor. I will create a separate bug to address this.
There was a problem hiding this comment.
@xenolinux We can address this as part of separate PR, may be through a Bug, as this is not part of this work.
There was a problem hiding this comment.
Reverting the changes
There was a problem hiding this comment.
Created https://issues.redhat.com/browse/OCPBUGS-8088 to address this.
There was a problem hiding this comment.
Created the PR for above bug #56648
| [id="minimum-required-azure-permissions_{context}"] | ||
| = Required Azure permissions in installer-provisioned infrastructure | ||
|
|
||
| To deploy and destroy an {product-title} cluster with installer-provisioned infrastructure, the service account requires the following permissions. |
There was a problem hiding this comment.
Can we make it little more informative to have a link from the previous section Required Azure roles ?
may be like this :
When you assign the Contributor and User Access Administrator roles to the service principal, you automatically grant all of the required permissions. Specifically, to deploy and destroy an OpenShift Container Platform cluster with installer-provisioned infrastructure, the service principal requires the following permissions.
^^ Please change any wordings / formatting as per convention.
| * `Microsoft.Storage/storageAccounts/listKeys/action` | ||
| ==== | ||
|
|
||
| .Additional permissions for creating marketplace virtual machine resources |
There was a problem hiding this comment.
There are some ongoing discussion regarding marketplace image. Adding this comment as a place holder to look back. cc @jinyunma
There was a problem hiding this comment.
got it, I will update the status once there is any progress for marketplace image testing.
|
|
||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
we should add a sentence here about custom role creation. Something like :
You can create a Custom Role having all the above mentioned permissions and assign that custom role to the service principal. To create a custom role in Azure portal, see the Azure custom roles in the Azure documentation.
^^ Please change any wordings / formatting as per convention.
| * `Microsoft.Network/virtualNetworks/delete` | ||
| ==== | ||
|
|
||
| .Required permissions for deleting health resources |
There was a problem hiding this comment.
Required permissions for checking health of resources.
| * `Microsoft.Resourcehealth/healthevent/Updated/action` | ||
| ==== | ||
|
|
||
| .Required permissions for deleting subscription resources |
There was a problem hiding this comment.
Required permissions for deleting resource group
| * `Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write` | ||
| ==== | ||
|
|
||
| .Additional permissions for creating compute resources |
There was a problem hiding this comment.
Should we call them additional or optional ?
There was a problem hiding this comment.
Optional sounds appropriate. Addressed
xenolinux
force-pushed
the
minm-required-permissions-azure
branch
6 times, most recently
from
e0f1e30
to
5d982fd
Compare
|
@xenolinux thanks for addressing, the update looks good to me |
|
LGTM. /remove-label peer-review-in-progress |
openshift-ci
bot
added
peer-review-done
|
/label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
ousleyp
added
merge-review-in-progress
There was a problem hiding this comment.
Great work overall! However, the module IDs are incorrect on both new modules, so please fix those before re-requesting merge review. Thanks!
PS. You might want to get a final merge review from someone who usually works on these install docs, but as far as I can tell, everything other than the module IDs LGTM.
| // | ||
| // * installing/installing_azure/installing-azure-user-infra.adoc | ||
|
|
||
| [id="minimum-required-azure-permissions_{context}"] |
There was a problem hiding this comment.
This ID is the same as the one in modules/minimum-required-permissions-ipi-azure.adoc. Please change both module IDs so that they match the corresponding filename. This one should be: [id="minimum-required-permissions-upi-azure_{context}"]
Thanks!
| // | ||
| // * installing/installing_azure/installing-azure-account.adoc | ||
|
|
||
| [id="minimum-required-azure-permissions_{context}"] |
There was a problem hiding this comment.
This ID is the same as the one in modules/minimum-required-permissions-upi-azure.adoc. Please change both module IDs so that they match the corresponding filename. Ideally, they would also match the module title, but having them match the filename is more important.
This one should be: [id="minimum-required-permissions-ipi-azure_{context}"]
ousleyp
removed
the
merge-review-in-progress
xenolinux
force-pushed
the
minm-required-permissions-azure
branch
from
3f8d8b3
to
eafc6ee
Compare
Thanks. I corrected the module IDs.
Yes. I have got it reviewed by @bscott-rh before setting the merge-review-needed label. |
|
Acknowledged the comments. Setting the merge-review-needed label again. |
|
/label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
sheriff-rh
added
merge-review-in-progress
|
/cherrypick enterprise-4.13 |
|
/cherrypick enterprise-4.12 |
|
@sheriff-rh: new pull request created: #58247 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sheriff-rh: new pull request created: #58248 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Document the list of required permissions to create and delete the OCP cluster on the Azure Public Cloud for installer-provisioned infrastructure and user-provisioned infrastructure.
Version(s): 4.12+
Issue: https://issues.redhat.com/browse/OSDOCS-5384
Link to docs preview:
The note in
modules/installation-azure-create-resource-group-and-identity.adoc: https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-user-infra.html#installation-azure-create-resource-group-and-identity_installing-azure-user-infraChanges in the file
modules/installation-azure-finalizing-encryption.adoc:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-customizations.html#finalizing-encryption_installing-azure-customizations
Changes in file
modules/installation-azure-permissions.adoc:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-user-infra.html#installation-azure-permissions_installing-azure-user-infra
A note in the file
modules/installation-azure-service-principal.adoc:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-account.html#installation-azure-service-principal_installing-azure-account
Preview for IPI related module
modules/minimum-required-permissions-ipi-azure.adoc:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-account.html#minimum-required-azure-permissions_installing-azure-account
Preview for UPI related module
modules/minimum-required-permissions-upi-azure.adoc: https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-user-infra.html#minimum-required-azure-permissions_installing-azure-user-infraQE review:
Additional information: