Manual mode is supported for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). To use this mode, you must examine the
CredentialsRequest CRs in the release image for the version of OKD that you are running or installing, create corresponding credentials in the underlying cloud provider, and create Kubernetes Secrets in the correct namespaces to satisfy all
CredentialsRequest CRs for the cluster’s cloud provider.
Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. This mode also does not require connectivity to the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade.
You can configure an AWS cluster in manual mode to use Amazon Web Services Secure Token Service (AWS STS). With this configuration, the CCO uses temporary credentials for different components.
If credentials are added in a future release, the Cloud Credential Operator (CCO)
upgradable status for a cluster with manually maintained credentials changes to
false. For minor release, for example, from 4.7 to 4.8, this status prevents you from upgrading until you have addressed any updated permissions. For z-stream releases, for example, from 4.7.12 to 4.7.13, the upgrade is not blocked, but the credentials must still be updated for the new release.
Use the Administrator perspective of the web console to determine if the CCO is upgradeable.
Navigate to Administration → Cluster Settings.
To view the CCO status details, click cloud-credential in the Cluster Operators list.
If the Upgradeable status in the Conditions section is False, examine the
CredentialsRequest custom resource for the new release and update the manually maintained credentials on your cluster to match before upgrading.
In addition to creating new credentials for the release image that you are
upgrading to, you must review the required permissions for existing credentials
and accommodate any new permissions requirements for existing components in the
new release. The CCO cannot detect these mismatches and will not set
false in this case.
The Manually creating IAM section of the installation content for your cloud provider explains how to obtain and use the credentials required for your cloud.