New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSDOCS#5384: Document the explicit list of required credential permissions for Azure #56274
OSDOCS#5384: Document the explicit list of required credential permissions for Azure #56274
Conversation
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/13288 |
2d89786
to
519c2d8
Compare
bfa1b60
to
353b791
Compare
caaaa02
to
80e4395
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've suggested a few changes for IPI part, we can do similar changes for UPI also.
[id="minimum-required-azure-permissions_{context}"] | ||
= Required Azure permissions in installer-provisioned infrastructure | ||
|
||
To deploy and destroy an {product-title} cluster with installer-provisioned infrastructure, the service account requires the following permissions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Service Principal
in-place of service account
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
@@ -11,6 +11,4 @@ | |||
* `User Access Administrator` | |||
* `Owner` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be Contributor
. I will create a separate bug to address this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xenolinux We can address this as part of separate PR, may be through a Bug, as this is not part of this work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay. Ack
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverting the changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created https://issues.redhat.com/browse/OCPBUGS-8088 to address this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created the PR for above bug #56648
[id="minimum-required-azure-permissions_{context}"] | ||
= Required Azure permissions in installer-provisioned infrastructure | ||
|
||
To deploy and destroy an {product-title} cluster with installer-provisioned infrastructure, the service account requires the following permissions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make it little more informative to have a link from the previous section Required Azure roles
?
may be like this :
When you assign the Contributor
and User Access Administrator
roles to the service principal, you automatically grant all of the required permissions. Specifically, to deploy and destroy an OpenShift Container Platform cluster with installer-provisioned infrastructure, the service principal requires the following permissions.
^^ Please change any wordings / formatting as per convention.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
* `Microsoft.Storage/storageAccounts/listKeys/action` | ||
==== | ||
|
||
.Additional permissions for creating marketplace virtual machine resources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some ongoing discussion regarding marketplace image. Adding this comment as a place holder to look back. cc @jinyunma
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
got it, I will update the status once there is any progress for marketplace image testing.
|
||
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should add a sentence here about custom role creation. Something like :
You can create a Custom Role having all the above mentioned permissions and assign that custom role to the service principal. To create a custom role in Azure portal, see the Azure custom roles in the Azure documentation.
^^ Please change any wordings / formatting as per convention.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
* `Microsoft.Network/virtualNetworks/delete` | ||
==== | ||
|
||
.Required permissions for deleting health resources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Required permissions for checking health of resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
* `Microsoft.Resourcehealth/healthevent/Updated/action` | ||
==== | ||
|
||
.Required permissions for deleting subscription resources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Required permissions for deleting resource group
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
* `Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write` | ||
==== | ||
|
||
.Additional permissions for creating compute resources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we call them additional or optional ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional sounds appropriate. Addressed
e0f1e30
to
5d982fd
Compare
@xenolinux thanks for addressing, the update looks good to me |
LGTM. /remove-label peer-review-in-progress |
/label merge-review-needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work overall! However, the module IDs are incorrect on both new modules, so please fix those before re-requesting merge review. Thanks!
PS. You might want to get a final merge review from someone who usually works on these install docs, but as far as I can tell, everything other than the module IDs LGTM.
// | ||
// * installing/installing_azure/installing-azure-user-infra.adoc | ||
|
||
[id="minimum-required-azure-permissions_{context}"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ID is the same as the one in modules/minimum-required-permissions-ipi-azure.adoc. Please change both module IDs so that they match the corresponding filename. This one should be: [id="minimum-required-permissions-upi-azure_{context}"]
Thanks!
// | ||
// * installing/installing_azure/installing-azure-account.adoc | ||
|
||
[id="minimum-required-azure-permissions_{context}"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ID is the same as the one in modules/minimum-required-permissions-upi-azure.adoc. Please change both module IDs so that they match the corresponding filename. Ideally, they would also match the module title, but having them match the filename is more important.
This one should be: [id="minimum-required-permissions-ipi-azure_{context}"]
3f8d8b3
to
eafc6ee
Compare
Thanks. I corrected the module IDs.
Yes. I have got it reviewed by @bscott-rh before setting the merge-review-needed label. |
Acknowledged the comments. Setting the merge-review-needed label again. |
/label merge-review-needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pan's requests were addressed, content lgtm otherwise. Merging.
/cherrypick enterprise-4.13 |
/cherrypick enterprise-4.12 |
@sheriff-rh: new pull request created: #58247 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sheriff-rh: new pull request created: #58248 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Document the list of required permissions to create and delete the OCP cluster on the Azure Public Cloud for installer-provisioned infrastructure and user-provisioned infrastructure.
Version(s): 4.12+
Issue: https://issues.redhat.com/browse/OSDOCS-5384
Link to docs preview:
The note in
modules/installation-azure-create-resource-group-and-identity.adoc
: https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-user-infra.html#installation-azure-create-resource-group-and-identity_installing-azure-user-infraChanges in the file
modules/installation-azure-finalizing-encryption.adoc
:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-customizations.html#finalizing-encryption_installing-azure-customizations
Changes in file
modules/installation-azure-permissions.adoc
:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-user-infra.html#installation-azure-permissions_installing-azure-user-infra
A note in the file
modules/installation-azure-service-principal.adoc
:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-account.html#installation-azure-service-principal_installing-azure-account
Preview for IPI related module
modules/minimum-required-permissions-ipi-azure.adoc
:https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-account.html#minimum-required-azure-permissions_installing-azure-account
Preview for UPI related module
modules/minimum-required-permissions-upi-azure.adoc
: https://56274--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_azure/installing-azure-user-infra.html#minimum-required-azure-permissions_installing-azure-user-infraQE review:
Additional information: