$ openshift-install create manifests --dir <installation_directory> (1)
In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster
kube-system namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.
The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the
credentialsMode parameter in the
If you prefer not to store an administrator-level credential secret in the cluster
kube-system project, you can set the
credentialsMode parameter for the CCO to
Manual when installing OKD and manage your cloud credentials manually.
Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.
For a detailed description of all available CCO credential modes and their supported platforms, see the Cloud Credential Operator reference.
The Cloud Credential Operator (CCO) can be put into manual mode prior to
installation in environments where the cloud identity and access management
(IAM) APIs are not reachable, or the administrator prefers not to store an
administrator-level credential secret in the cluster
To generate the manifests, run the following command from the directory that contains the installation program:
$ openshift-install create manifests --dir <installation_directory> (1)
Insert a config map into the manifests directory so that the Cloud Credential Operator is placed in manual mode:
$ cat <<EOF > mycluster/manifests/cco-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: cloud-credential-operator-config namespace: openshift-cloud-credential-operator annotations: release.openshift.io/create-only: "true" data: disabled: "true" EOF
admin credential secret created using your local cloud credentials.
This removal prevents your
admin credential from being stored in the cluster:
$ rm mycluster/openshift/99_cloud-creds-secret.yaml
From the directory that contains the installation program, obtain details of the OKD release image that your
openshift-install binary is built to use:
$ openshift-install version
release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64
CredentialsRequest objects in this release image that target the cloud you are deploying on:
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure
This displays the details for each request.
apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: labels: controller-tools.k8s.io: "1.0" name: openshift-image-registry-azure namespace: openshift-cloud-credential-operator spec: secretRef: name: installer-cloud-credentials namespace: openshift-image-registry providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AzureProviderSpec roleBindings: - role: Contributor
Create YAML files for secrets in the
openshift-install manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the
spec.secretRef for each
credentialsRequest. The format for the secret data varies for each cloud provider.
From the directory that contains the installation program, proceed with your cluster creation:
$ openshift-install create cluster --dir <installation_directory>
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state. For details, see the Upgrading clusters with manually maintained credentials section of the installation content for your cloud provider.
Each cloud provider uses a credentials root secret in the
namespace by convention, which is then used to satisfy all credentials requests
and create their respective secrets. This is done either by minting new
credentials, with mint mode, or by copying the credentials root secret, with
The format for the secret varies by cloud, and is also used for each
apiVersion: v1 kind: Secret metadata: namespace: kube-system name: azure-credentials stringData: azure_subscription_id: <SubscriptionID> azure_client_id: <ClientID> azure_client_secret: <ClientSecret> azure_tenant_id: <TenantID> azure_resource_prefix: <ResourcePrefix> azure_resourcegroup: <ResourceGroup> azure_region: <Region>
On Microsoft Azure, the credentials secret format includes two properties that must contain the cluster’s infrastructure ID, generated randomly for each cluster installation. This value can be found after running create manifests:
$ cat .openshift_install_state.json | jq '."*installconfig.ClusterID".InfraID' -r
This value would be used in the secret data as follows:
azure_resource_prefix: mycluster-2mpcn azure_resourcegroup: mycluster-2mpcn-rg
If credentials are added in a future release, the Cloud Credential Operator (CCO)
upgradable status for a cluster with manually maintained credentials changes to
false. For minor release, for example, from 4.5 to 4.6, this status prevents you from upgrading until you have addressed any updated permissions. For z-stream releases, for example, from 4.5.10 to 4.5.11, the upgrade is not blocked, but the credentials must still be updated for the new release.
Use the Administrator perspective of the web console to determine if the CCO is upgradeable.
Navigate to Administration → Cluster Settings.
To view the CCO status details, click cloud-credential in the Cluster Operators list.
If the Upgradeable status in the Conditions section is False, examine the
credentialsRequests for the new release and update the manually maintained credentials on your cluster to match before upgrading.
In addition to creating new credentials for the release image that you are
upgrading to, you must review the required permissions for existing credentials
and accommodate any new permissions requirements for existing components in the
new release. The CCO cannot detect these mismatches and will not set
false in this case.
The Manually creating IAM section of the installation content for your cloud provider explains how to obtain and use the credentials required for your cloud.
Mint mode is the default and recommended Cloud Credential Operator (CCO) credentials mode for OKD. In this mode, the CCO uses the provided administrator-level cloud credential to run the cluster. Mint mode is supported for AWS, GCP, and Azure.
In mint mode, the
admin credential is stored in the
kube-system namespace and then used by the CCO to process the
CredentialsRequest objects in the cluster and create users for each with specific permissions.
The benefits of mint mode include:
Each cluster component has only the permissions it requires
Automatic, on-going reconciliation for cloud credentials, including additional credentials or permissions that might be required for upgrades
One drawback is that mint mode requires
admin credential storage in a cluster
Install an OKD cluster:
Installing a cluster quickly on Azure with default options on installer-provisioned infrastructure
Install a cluster with cloud customizations on installer-provisioned infrastructure
Install a cluster with network customizations on installer-provisioned infrastructure