Menu Close

2.2. Manually creating IAM for AWS

2.2.1. Manually create IAM

The Cloud Credential Operator can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.

Procedure

  1. Run the OpenShift Container Platform installer to generate manifests: 

    $ openshift-install create manifests --dir=mycluster

  2. Insert a config map into the manifests directory so that the Cloud Credential Operator is placed in manual mode: 

    $ cat <<EOF > mycluster/manifests/cco-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloud-credential-operator-config
  namespace: openshift-cloud-credential-operator
  annotations:
    release.openshift.io/create-only: "true"
data:
  disabled: "true"
EOF

  3. Remove the admin credential secret created using your local cloud credentials. This removal prevents your admin credential from being stored in the cluster: 

    $ rm mycluster/openshift/99_cloud-creds-secret.yaml

  4. Obtain the OpenShift Container Platform release image your openshift-install binary is built to use: 

    $ bin/openshift-install version

    Example output

    release image quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64

  5. Locate all CredentialsRequest objects in this release image that target the cloud you are deploying on: 

    $ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64 --to ./release-image

  6. Locate the CredentialsRequests in the extracted file: 

    $ grep -l "apiVersion: cloudcredential.openshift.io" * | xargs cat
    注記

    In a future OpenShift Container Platform release, there will be a new oc adm release command to scan for the CredentialsRequests and display them.

    This displays the details for each request. Remember to ignore any CredentialsRequests where the spec.providerSpec.kind does not match the cloud provider you are installing to.

    Sample CredentialsRequest object

    apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: cloud-credential-operator-iam-ro
  namespace: openshift-cloud-credential-operator
spec:
  secretRef:
    name: cloud-credential-operator-iam-ro-creds
    namespace: openshift-cloud-credential-operator
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - effect: Allow
      action:
      - iam:GetUser
      - iam:GetUserPolicy
      - iam:ListAccessKeys
      resource: "*"

  7. Create YAML files for secrets in the openshift-install manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in each request.spec.secretRef. The format for the secret data varies for each cloud provider.

  8. Proceed with cluster creation: 

    $ openshift-install create cluster --dir=mycluster
    重要

    Before performing an upgrade, you might need to adjust your credentials if permissions have changed in the next release. In the future, the Cloud Credential Operator might prevent you from upgrading until you have indicated that you have addressed updated permissions.