diff --git a/release_notes/ocp-4-6-release-notes.adoc b/release_notes/ocp-4-6-release-notes.adoc index bf1e846ee2..17524ce50c 100644 --- a/release_notes/ocp-4-6-release-notes.adoc +++ b/release_notes/ocp-4-6-release-notes.adoc @@ -749,6 +749,11 @@ Your upgrade to {product-title} 4.6 should now no longer be blocked by this feat [id="ocp-4-6-images"] === Images +[id="ocp-4-6-cloud-credential-operator-mode-support"] +==== Support for Cloud Credential Operator modes + +In addition to the existing default mode of operation, the xref:../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator (CCO)] can now be explicitly configured to operate in the following modes: `Mint`, `Passthrough`, and `Manual`. This feature provides transparency and flexibility in how the CCO uses cloud credentials to process `CredentialRequests` in the cluster for installation and other tasks. + [id="ocp-4-6-samples-operator"] ==== Cluster Samples Operator on Power and Z @@ -1426,6 +1431,28 @@ In some cases, these errors might cause the `KubeAPIErrorsHigh` alert to fire, b * Rules API back-ends are sometimes not detected if Store API stores are discovered before Rules API stores. When this occurs, a store reference is created without a Rules API client, and the Rules API endpoint from Thanos Querier does not return any rules. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1870287[*BZ#1870287*]) +* If an AWS account is configured to use AWS Organizations service control policies (SCPs) that use a global condition to deny all actions or require a specific permission, the AWS policy simulator API that validates permissions produces a false negative. When the permissions cannot be validated, {product-title} AWS installations fail, even if the provided credentials have the required permissions for installation. ++ +To work around this issue, you can bypass the AWS policy simulator permissions check by setting a value for the `credentialsMode` parameter in the `install-config.yaml` configuration file. The value of `credentialsMode` changes the behavior of the Cloud Credential Operator (CCO) to one of xref:../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[three supported modes]. ++ +.Example `install-config.yaml` configuration file ++ +[source,yaml] +---- +apiVersion: v1 +baseDomain: cluster1.example.com +credentialsMode: Mint <1> +compute: +- architecture: amd64 + hyperthreading: Enabled +... +---- +<1> This line is added to set the `credentialsMode` parameter to `Mint`. ++ +When bypassing this check, ensure that the credentials you provide have the xref:../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[permissions that are required for the specified mode]. ++ +(link:https://bugzilla.redhat.com/show_bug.cgi?id=1829101[*BZ#1829101*]) + [id="ocp-4-6-asynchronous-errata-updates"] == Asynchronous errata updates