OSDOCS-13798 Adding user-specified identities to Azure #93377
Conversation
openshift-ci
bot
added
the
size/M
|
🤖 Thu May 15 19:14:52 - Prow CI generated the docs preview: |
There was a problem hiding this comment.
In addition to the fine-grained permissions updates, we should update the docs to remove the mentions of User Access Administrator, which is no longer required by default. This permission (or perhaps the less powerful RBAC Access Admin) is only required when users specify a User-Assigned Identity in the install config.
In the docs in 2.4.1 it says:
The Azure account that you use to create the identity is assigned the User Access Administrator and Contributor roles. These roles are required when:
Creating a service principal or user-assigned managed identity.
Enabling a system-assigned managed identity on a virtual machine.
We could probably change that to just.
The Azure account that you use to create the identity is assigned the Contributor role.
And then in 2.4.3 where we document how to create the service principal we can remove step 2 which adds the User Access Admin role.
Or, instead of removing it, we can add a note saying this is only necessary when users supply the values in the install config... I hope this makes sense, but I'm sure it's confusing so please LMK if you have questions.
| |The type of identity used for control plane virtual machine. The `SystemAssigned` identity is an implicitly created identity. | ||
| The generated identity will be assigned a Subscription contributor role. | ||
| Using a `SystemAssigned` identity is an experimental feature that can be enabled with the `MachineAPIMigration` feature gate. | ||
| The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to control plane virtual machines. | ||
| Identity can only be set for control plane nodes. | ||
| |`SystemAssigned`, `UserAssigned` or `None`. |
There was a problem hiding this comment.
Oh this is my bad. I initially added support for SystemAssigned identities, but it turned out to be more complex than originally anticipated so I removed support, or so I thought.
I have opened a bug and the PR openshift/installer#9717 to remove the references to SystemAssigned Identity, which I apparently missed.
| |The type of identity used for control plane virtual machine. The `SystemAssigned` identity is an implicitly created identity. | |
| The generated identity will be assigned a Subscription contributor role. | |
| Using a `SystemAssigned` identity is an experimental feature that can be enabled with the `MachineAPIMigration` feature gate. | |
| The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to control plane virtual machines. | |
| Identity can only be set for control plane nodes. | |
| |`SystemAssigned`, `UserAssigned` or `None`. | |
| |The type of identity used for control plane virtual machine. | |
| The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to control plane virtual machines. | |
| Identity can only be set for control plane nodes. | |
| | `UserAssigned` or `None`. |
| |controlPlane: | ||
| platform: | ||
| azure: | ||
| identity: | ||
| systemAssignedIdentityRole: | ||
| definitionID: | ||
| |The role definition to create for a system assigned identity. It can be an built-in {azure-short} role or a custom role. | ||
| For more information about built-in {azure-short} roles, see link:https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles[Azure built-in roles] (Microsoft documentation). | ||
| |String, for example "b24988ac-6180-42a0-ab88-20f7382dd24c" for the built-in Contributor role. | ||
|
|
||
| |controlPlane: | ||
| platform: | ||
| azure: | ||
| identity: | ||
| systemAssignedIdentityRole: | ||
| name: | ||
| |Optional. The name of the role assignment to create for a system assigned identity. It can be any valid UUID. | ||
| If not specified, a random UUID will be generated. | ||
| |String. | ||
|
|
||
| |controlPlane: | ||
| platform: | ||
| azure: | ||
| identity: | ||
| systemAssignedIdentityRole: | ||
| scope: | ||
| |Optional. The scope to which the role assignment or definition applies. The scope can be any REST API resource instance. | ||
| If not specified, the scope will be the subscription. | ||
| |String. |
There was a problem hiding this comment.
Delete these references to SystemAssigned identities
|
@bscott-rh: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Looks like that two parts are missed.
- The permission of service principal or managed identity (attached to azure virtual machine and installer run in that VM) for IPI installation with user-assigned identity configured in install-config (attached to cluster nodes), which you added into installation-configuration-parameters.adoc.
- Without minimal permission installation, both 'Contributor' role and 'User Access Administrator' are required.
- With minimal permission installation, following optional permissions are required.
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
"Microsoft.ManagedIdentity/userAssignedIdentities/read"
- UPI doc:
- Remove the identity creation and role assignment steps (procedure 2 & 3) from Creating the Azure resource group , because user-assigned identity is also removed from UPI ARM template (CORS-3883: Remove user-assigned identity from ARM template installer#9625)
- Same permissions you removed from IPI doc also need to be removed from minimal permission list in UPI doc
|
|
||
| ** Creating a service principal or user-assigned managed identity. | ||
|
|
||
| ** Enabling a system-assigned managed identity on a virtual machine. |
There was a problem hiding this comment.
We don't need to update here, because it describes the permission for Azure account. User Access Administrator is still required when Azure account assigns role to service principal or user-assigned managed identity.
Version(s):
4.19
Issue:
https://issues.redhat.com/browse/OSDOCS-13798
Link to docs preview:
Required permissions for IPI
Additional Azure configuration parameters
QE review: