2.2. Manually creating IAM for AWS
2.2.1. Manually create IAM
The Cloud Credential Operator can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster
Run the OpenShift Container Platform installer to generate manifests:
$ openshift-install create manifests --dir=mycluster
Insert a config map into the manifests directory so that the Cloud Credential Operator is placed in manual mode:
$ cat <<EOF > mycluster/manifests/cco-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: cloud-credential-operator-config namespace: openshift-cloud-credential-operator annotations: release.openshift.io/create-only: "true" data: disabled: "true" EOF
admincredential secret created using your local cloud credentials. This removal prevents your
admincredential from being stored in the cluster:
$ rm mycluster/openshift/99_cloud-creds-secret.yaml
Obtain the OpenShift Container Platform release image your
openshift-installbinary is built to use:
$ bin/openshift-install version
release image quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64
CredentialsRequestobjects in this release image that target the cloud you are deploying on:
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.z.z-x86_64 --to ./release-image
CredentialsRequestsin the extracted file:
$ grep -l "apiVersion: cloudcredential.openshift.io" * | xargs cat注記
In a future OpenShift Container Platform release, there will be a new
oc adm releasecommand to scan for the
CredentialsRequestsand display them.
This displays the details for each request. Remember to ignore any
spec.providerSpec.kinddoes not match the cloud provider you are installing to.
apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: cloud-credential-operator-iam-ro namespace: openshift-cloud-credential-operator spec: secretRef: name: cloud-credential-operator-iam-ro-creds namespace: openshift-cloud-credential-operator providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AWSProviderSpec statementEntries: - effect: Allow action: - iam:GetUser - iam:GetUserPolicy - iam:ListAccessKeys resource: "*"
Create YAML files for secrets in the
openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in each
request.spec.secretRef. The format for the secret data varies for each cloud provider.
Proceed with cluster creation:
$ openshift-install create cluster --dir=mycluster重要
Before performing an upgrade, you might need to adjust your credentials if permissions have changed in the next release. In the future, the Cloud Credential Operator might prevent you from upgrading until you have indicated that you have addressed updated permissions.