Manual mode with STS is supported for Amazon Web Services (AWS).
This credentials strategy is supported for only new OKD clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature. |
In manual mode with STS, the individual OKD cluster components use AWS Secure Token Service (STS) to assign components IAM roles that provide short-term, limited-privilege security credentials. These credentials are associated with IAM roles that are specific to each component that makes AWS API calls.
Requests for new and refreshed credentials are automated by using an appropriately configured AWS IAM OpenID Connect (OIDC) identity provider, combined with AWS IAM roles. OKD signs service account tokens that are trusted by AWS IAM, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour.
Using manual mode with STS changes the content of the AWS credentials that are provided to individual OKD components.
apiVersion: v1
kind: Secret
metadata:
namespace: <target-namespace> (1)
name: <target-secret-name> (2)
data:
aws_access_key_id: <base64-encoded-access-key-id>
aws_secret_access_key: <base64-encoded-secret-access-key>
1 | The namespace for the component. |
2 | The name of the component secret. |
apiVersion: v1
kind: Secret
metadata:
namespace: <target-namespace> (1)
name: <target-secret-name> (2)
stringData:
credentials: |-
[default]
role_name: <operator-role-name> (3)
web_identity_token_file: <path-to-token> (4)
1 | The namespace for the component. |
2 | The name of the component secret. |
3 | The IAM role for the component. |
4 | The path to the service account token inside the pod. By convention, this is /var/run/secrets/openshift/serviceaccount/token for OKD components. |
To install a cluster that is configured to use the Cloud Credential Operator (CCO) in manual mode with STS:
Create the required AWS resources individually, or with a single command.
Because the cluster is operating in manual mode when using STS, it is not able to create new credentials for components with the permissions that they require. When upgrading to a different minor version of OKD, there are often new AWS permission requirements. Before upgrading a cluster that is using STS, the cluster administrator must manually ensure that the AWS permissions are sufficient for existing components and available to any new components. |
To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode with STS, extract and prepare the CCO utility (ccoctl
) binary.
The |
Obtain the OKD release image.
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
Get the CCO container image from the OKD release image:
$ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE)
Ensure that the architecture of the |
Extract the ccoctl
binary from the CCO container image within the OKD release image:
$ oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
Change the permissions to make ccoctl
executable:
$ chmod 775 ccoctl
To verify that ccoctl
is ready to use, display the help file:
$ ccoctl aws --help
ccoctl aws --help
:Creating/updating/deleting cloud credentials objects for AWS cloud
Usage:
ccoctl aws [command]
Available Commands:
create-all Create all the required credentials objects
create-iam-roles Create IAM roles
create-identity-provider Create IAM identity provider
create-key-pair Create a key pair
delete Delete credentials objects
Flags:
-h, --help help for aws
Use "ccoctl aws [command] --help" for more information about a command.
You can use the CCO utility (ccoctl
) to create the required AWS resources individually, or with a single command.
If you need to review the JSON files that the ccoctl
tool creates before modifying AWS resources, or if the process the ccoctl
tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. For example, this option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
Otherwise, you can use the ccoctl aws create-all
command to create the AWS resources automatically.
By default, Some |
Extract and prepare the ccoctl
binary.
Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster:
$ ccoctl aws create-key-pair
2021/04/13 11:01:02 Generating RSA keypair
2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private
2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public
2021/04/13 11:01:03 Copying signing key for use by installer
where serviceaccount-signer.private
and serviceaccount-signer.public
are the generated key files.
This command also creates a private key that the cluster requires during installation in /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key
.
Create an OpenID Connect identity provider and S3 bucket on AWS:
$ ccoctl aws create-identity-provider \
--name=<name> \
--region=<aws_region> \
--public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public
where:
<name>
is the name used to tag any cloud resources that are created for tracking.
<aws-region>
is the AWS region in which cloud resources will be created.
<path_to_ccoctl_output_dir>
is the path to the public key file that the ccoctl aws create-key-pair
command generated.
2021/04/13 11:16:09 Bucket <name>-oidc created
2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated
2021/04/13 11:16:10 Reading public key
2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated
2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com
where 02-openid-configuration
is a discovery document and 03-keys.json
is a JSON web key set file.
This command also creates a YAML configuration file in /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml
. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
Create IAM roles for each component in the cluster.
Extract the list of CredentialsRequest
objects from the OKD release image:
$ oc adm release extract \
--credentials-requests \
--cloud=aws \
--to=<path_to_directory_with_list_of_credentials_requests>/credrequests (1)
--from=quay.io/<path_to>/ocp-release:<version>
1 | credrequests is the directory where the list of CredentialsRequest objects is stored. This command creates the directory if it does not exist. |
Use the ccoctl
tool to process all CredentialsRequest
objects in the credrequests
directory:
$ ccoctl aws create-iam-roles \
--name=<name> \
--region=<aws_region> \
--credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests \
--identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com
For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the |
For each CredentialsRequest
object, ccoctl
creates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each CredentialsRequest
object from the OKD release image.
To verify that the OKD secrets are created, list the files in the <path_to_ccoctl_output_dir>/manifests
directory:
$ ll <path_to_ccoctl_output_dir>/manifests
total 24
-rw-------. 1 <user> <user> 161 Apr 13 11:42 cluster-authentication-02-config.yaml
-rw-------. 1 <user> <user> 379 Apr 13 11:59 openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds-credentials.yaml
-rw-------. 1 <user> <user> 353 Apr 13 11:59 openshift-cluster-csi-drivers-ebs-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 355 Apr 13 11:59 openshift-image-registry-installer-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 339 Apr 13 11:59 openshift-ingress-operator-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 337 Apr 13 11:59 openshift-machine-api-aws-cloud-credentials-credentials.yaml
You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles.
If you do not need to review the JSON files that the ccoctl
tool creates before modifying AWS resources, and if the process the ccoctl
tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all
command to automate the creation of AWS resources.
Otherwise, you can create the AWS resources individually.
By default, |
Extract and prepare the ccoctl
binary.
Extract the list of CredentialsRequest
objects from the OKD release image:
$ oc adm release extract \
--credentials-requests \
--cloud=aws \
--to=<path_to_directory_with_list_of_credentials_requests>/credrequests \ (1)
--from=quay.io/<path_to>/ocp-release:<version>
1 | credrequests is the directory where the list of CredentialsRequest objects is stored. This command creates the directory if it does not exist. |
Use the ccoctl
tool to process all CredentialsRequest
objects in the credrequests
directory:
$ ccoctl aws create-all \
--name=<name> \
--region=<aws_region> \
--credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests
To verify that the OKD secrets are created, list the files in the <path_to_ccoctl_output_dir>/manifests
directory:
$ ll <path_to_ccoctl_output_dir>/manifests
total 24
-rw-------. 1 <user> <user> 161 Apr 13 11:42 cluster-authentication-02-config.yaml
-rw-------. 1 <user> <user> 379 Apr 13 11:59 openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds-credentials.yaml
-rw-------. 1 <user> <user> 353 Apr 13 11:59 openshift-cluster-csi-drivers-ebs-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 355 Apr 13 11:59 openshift-image-registry-installer-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 339 Apr 13 11:59 openshift-ingress-operator-cloud-credentials-credentials.yaml
-rw-------. 1 <user> <user> 337 Apr 13 11:59 openshift-machine-api-aws-cloud-credentials-credentials.yaml
You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles.
Obtain the OKD release image.
Change to the directory that contains the installation program and create the install-config.yaml
file:
$ openshift-install create install-config --dir <installation_directory>
where <installation_directory>
is the directory in which the installation program creates files.
Edit the install-config.yaml
configuration file so that it contains the credentialsMode
parameter set to Manual
.
install-config.yaml
configuration fileapiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual (1)
compute:
- architecture: amd64
hyperthreading: Enabled
...
1 | This line is added to set the credentialsMode parameter to Manual . |
Create the required OKD installation manifests:
$ openshift-install create manifests
Copy the manifests that ccoctl
generated to the manifests directory that the installation program created:
$ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/
Copy the private key that the ccoctl
generated in the tls
directory to the installation directory:
$ cp -a /<path_to_ccoctl_output_dir>/tls .
Run the OKD installer:
$ ./openshift-install create cluster
Connect to the OKD cluster.
Verify that the cluster does not have root
credentials:
$ oc get secrets -n kube-system aws-creds
The output should look similar to:
Error from server (NotFound): secrets "aws-creds" not found
Verify that the components are assuming the IAM roles that are specified in the secret manifests, instead of using credentials that are created by the CCO:
$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o json | jq -r .data.credentials | base64 --decode
The output should show the role and web identity token that are used by the component and look similar to:
[default]
role_arn = arn:aws:iam::123456789:role/openshift-image-registry-installer-cloud-credentials
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token