mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
OSDOCS-14662:Updated Creating a cluster on GC with WIF auth for DITA compliance.
This commit is contained in:
AedinC
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
0b627023a5
commit
78f137ff2e
@@ -1,164 +1,20 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="create-wif-cluster-cli_{context}"]
|
||||
= Creating a Workload Identity Federation cluster using the OCM CLI
|
||||
|
||||
[role="_abstract"]
|
||||
You can create an {product-title} on {GCP} cluster with Workload Identity Federation (WIF) using the OpenShift Cluster Manager CLI (`ocm`) in interactive or non-interactive mode.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Download the latest version of the OpenShift Cluster Manager CLI (`ocm`) for your operating system from the link:https://console.redhat.com/openshift/downloads[Downloads] page on OpenShift Cluster Manager.
|
||||
====
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
[subs="attributes+"]
|
||||
OpenShift Cluster Manager API command-line interface (`ocm`) is a Developer Preview feature only.
|
||||
For more information about the support scope of Red Hat Developer Preview features, see link:https://access.redhat.com/support/offerings/devpreview/[Developer Preview Support Scope].
|
||||
====
|
||||
|
||||
Before creating the cluster, you must first create a WIF configuration.
|
||||
[NOTE]
|
||||
====
|
||||
Migrating an existing non-WIF cluster to a WIF configuration is not supported. This feature can only be enabled during new cluster creation.
|
||||
====
|
||||
|
||||
[id="create-wif-configuration_{context}"]
|
||||
== Creating a WIF configuration
|
||||
|
||||
.Procedure
|
||||
You can create a WIF configuration using the `auto` mode or the `manual` mode.
|
||||
|
||||
The `auto` mode enables you to automatically create the service accounts for {product-title} components as well as other IAM resources.
|
||||
|
||||
Alternatively, you can use the `manual` mode. In `manual` mode, you are provided with commands within a `script.sh` file which you use to manually create the service accounts for {product-title} components as well as other IAM resources.
|
||||
|
||||
* Based on your mode preference, run one of the following commands to create a WIF configuration:
|
||||
|
||||
** Create a WIF configuration in auto mode by running the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp create wif-config --name <wif_name> \ <1>
|
||||
--project <gcp_project_id> \ <2>
|
||||
--version <osd_version> <3>
|
||||
--federated-project <gcp_project_id> <4>
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of your WIF configuration.
|
||||
<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
|
||||
<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
|
||||
<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project` flag.
|
||||
+
|
||||
[NOTE]
|
||||
=====
|
||||
Using a dedicated project to create and manage workload identity pools and providers is recommended by {GCP}.
|
||||
Using a dedicated project helps you to establish centralized governance over the configuration of workload identity pools and providers, enforce uniform attribute mappings and conditions throughout all projects and applications, and ensure that only authorized identity providers can authenticate with WIF.
|
||||
|
||||
For more information, see link:https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project[Use a dedicated project to manage workload identity pools and providers].
|
||||
=====
|
||||
+
|
||||
[IMPORTANT]
|
||||
====
|
||||
Creating and managing workload identity pools and providers in a dedicated project is only allowed during initial WIF configuration creation. The `--federated-project` flag cannot be applied to existing `wif-configs`.
|
||||
====
|
||||
+
|
||||
--
|
||||
.Example output
|
||||
[source,terminal]
|
||||
----
|
||||
2024/09/26 13:05:41 Creating workload identity configuration...
|
||||
2024/09/26 13:05:47 Workload identity pool created with name 2e1kcps6jtgla8818vqs8tbjjls4oeub
|
||||
2024/09/26 13:05:47 workload identity provider created with name oidc
|
||||
2024/09/26 13:05:48 IAM service account osd-worker-oeub created
|
||||
2024/09/26 13:05:49 IAM service account osd-control-plane-oeub created
|
||||
2024/09/26 13:05:49 IAM service account openshift-gcp-ccm-oeub created
|
||||
2024/09/26 13:05:50 IAM service account openshift-gcp-pd-csi-driv-oeub created
|
||||
2024/09/26 13:05:50 IAM service account openshift-image-registry-oeub created
|
||||
2024/09/26 13:05:51 IAM service account openshift-machine-api-gcp-oeub created
|
||||
2024/09/26 13:05:51 IAM service account osd-deployer-oeub created
|
||||
2024/09/26 13:05:52 IAM service account cloud-credential-operator-oeub created
|
||||
2024/09/26 13:05:52 IAM service account openshift-cloud-network-c-oeub created
|
||||
2024/09/26 13:05:53 IAM service account openshift-ingress-gcp-oeub created
|
||||
2024/09/26 13:05:55 Role "osd_deployer_v4.19" updated
|
||||
----
|
||||
--
|
||||
+
|
||||
** Create a WIF configuration in manual mode by running the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp create wif-config --name <wif_name> \ <1>
|
||||
--project <gcp_project_id> \ <2>
|
||||
--mode=manual
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of your WIF configuration.
|
||||
<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
|
||||
+
|
||||
Once the WIF is configured, the following service accounts, roles, and groups are created.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
Red{nbsp}Hat custom roles are versioned with every OpenShift y-stream release, for example 4.19.
|
||||
====
|
||||
+
|
||||
.WIF configuration service accounts, group and roles
|
||||
[cols="2a,3a",options="header"]
|
||||
|===
|
||||
|
||||
|Service Account/Group
|
||||
|{gcp-short} pre-defined roles and Red Hat custom roles
|
||||
|
||||
|
||||
|osd-deployer
|
||||
|osd_deployer_v<y-stream-version>
|
||||
|
||||
|osd-control-plane
|
||||
|- compute.instanceAdmin
|
||||
- compute.networkAdmin
|
||||
- compute.securityAdmin
|
||||
- compute.storageAdmin
|
||||
|
||||
|osd-worker
|
||||
|- compute.storageAdmin
|
||||
- compute.viewer
|
||||
|
||||
|cloud-credential-operator-gcp-ro-creds
|
||||
|cloud_credential_operator_gcp_ro_creds_v<y-stream-version>
|
||||
|
||||
|openshift-cloud-network-config-controller-gcp
|
||||
|openshift_cloud_network_config_controller_gcp_v<y-stream-version>
|
||||
|
||||
|openshift-gcp-ccm
|
||||
|openshift_gcp_ccm_v<y-stream-version>
|
||||
|
||||
|openshift-gcp-pd-csi-driver-operator
|
||||
|- compute.storageAdmin
|
||||
- iam.serviceAccountUser
|
||||
- resourcemanager.tagUser
|
||||
- openshift_gcp_pd_csi_driver_operator_v<y-stream-version>
|
||||
|
||||
|openshift-image-registry-gcp
|
||||
|openshift_image_registry_gcs_v<y-stream-version>
|
||||
|
||||
|openshift-ingress-gcp
|
||||
|openshift_ingress_gcp_v<y-stream-version>
|
||||
|
||||
|openshift-machine-api-gcp
|
||||
|openshift_machine_api_gcp_v<y-stream-version>
|
||||
|
||||
|Access via SRE group:sd-sre-platform-gcp-access
|
||||
|sre_managed_support
|
||||
|===
|
||||
|
||||
For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
|
||||
|
||||
[id="create-wif-cluster_{context}"]
|
||||
== Creating a WIF cluster
|
||||
|
||||
.Procedure
|
||||
You can create a WIF cluster using the `interactive` mode or the `non-interactive` mode.
|
||||
|
||||
@@ -224,177 +80,4 @@ If an {product-title} version is specified, the version must also be supported b
|
||||
[IMPORTANT]
|
||||
====
|
||||
If your cluster deployment fails during installation, certain resources created during the installation process are not automatically removed from your {GCP} account. To remove these resources from your {gcp-short} account, you must delete the failed cluster.
|
||||
====
|
||||
|
||||
[id="ocm-cli-list-wif-commands_{context}"]
|
||||
== Listing WIF clusters
|
||||
|
||||
To list all of your {product-title} clusters that have been deployed using the WIF authentication type, run the following command:
|
||||
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm list clusters --parameter search="gcp.authentication.wif_config_id != ''"
|
||||
----
|
||||
To list all of your {product-title} clusters that have been deployed using a specific wif-config, run the following command:
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm list clusters --parameter search="gcp.authentication.wif_config_id = '<wif_config_id>'" <1>
|
||||
----
|
||||
<1> Replace `<wif_config_id>` with the ID of the WIF configuration.
|
||||
|
||||
[id="wif-configuration-update_{context}"]
|
||||
== Updating a WIF configuration
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Updating a WIF configuration is only applicable for y-stream updates. For an overview of the update process, including details regarding version semantics, see link:https://www.redhat.com/en/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators#:~:text=Ongoing%20security%20patches%20and%20bug,is%20the%20dark%20green%20bar.[The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators].
|
||||
====
|
||||
Before upgrading a WIF-enabled {product-title} cluster to a newer version, you must update the wif-config to that version as well. If you do not update the wif-config version before attempting to upgrade the cluster version, the cluster version upgrade will fail.
|
||||
|
||||
As part of Red{nbsp}Hat's ongoing commitment to the principle of least privilege, certain permissions previously assigned to the `osd-deployer` service account in WIF configurations have been removed. These changes help enhance the security of your clusters by ensuring that service accounts have only the permissions they need to perform their functions.
|
||||
|
||||
For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
|
||||
|
||||
To align your existing WIF configurations with these updated permissions, you can run the `ocm gcp update wif-config` command. This command updates the WIF configuration to include the latest permissions and roles required for optimal operation.
|
||||
|
||||
When you update a wif-config or create a new one, ensure your {cluster-manager} CLI (`ocm`) is up to date. Not updating to the latest version of the `ocm` can result in error messages and service disruptions.
|
||||
|
||||
.Example output
|
||||
[source,text]
|
||||
----
|
||||
Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again.
|
||||
----
|
||||
|
||||
.Procedure
|
||||
. To check the version of your `ocm`, run the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm version
|
||||
----
|
||||
+
|
||||
. Optional: If your `ocm` version is not the latest available, download and install the latest version from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}.
|
||||
+
|
||||
. Update a wif-config to a specific {product-title} version by running the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
ocm gcp update wif-config <wif_name> \ <1>
|
||||
--version <version> <2>
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of the WIF configuration you want to update.
|
||||
<2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17).
|
||||
|
||||
[id="wif-removing-stale-permissions_{context}"]
|
||||
== Removing stale permissions from service accounts managed by a WIF configuration
|
||||
|
||||
The stale set of permissions previously assigned to the `osd-deployer` service account will remain on the account after updating the wif-config. You need to manually access the roles and remove these stale permissions from them.
|
||||
|
||||
[id="wif-removing-stale-deployer-permissions_{context}"]
|
||||
=== Removing stale deployer permissions from service accounts managed by a WIF configuration
|
||||
|
||||
To remove the stale deployer permissions, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Retrieve the existing role definition, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles describe \
|
||||
osd_deployer_v4.18 \
|
||||
--project $PROJECT_ID \
|
||||
--format=yaml > /tmp/role.yaml
|
||||
----
|
||||
+
|
||||
. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ cat /tmp/role.yaml | \
|
||||
grep -v "resourcemanager.projects.setIamPolicy" | \
|
||||
grep -v "iam.serviceAccounts.signBlob" | \
|
||||
grep -v "iam.serviceAccounts.actAs" > /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ diff /tmp/role.yaml /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles update \
|
||||
osd_deployer_v4.18 \
|
||||
--project=$PROJECT_ID \
|
||||
--file=/tmp/updated_role.yaml
|
||||
----
|
||||
|
||||
[id="wif-removing-stale-support-permissions_{context}"]
|
||||
=== Removing stale support permissions from service accounts managed by a WIF configuration
|
||||
|
||||
To remove stale support permissions, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Retrieve the existing role defintion, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles describe sre_managed_support --project $PROJECT_ID --format=yaml > /tmp/role.yaml
|
||||
----
|
||||
+
|
||||
. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ cat /tmp/role.yaml | grep -v "compute.firewalls.create" > /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ diff /tmp/role.yaml /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles update sre_managed_support --project $PROJECT_ID --file=/tmp/updated_role.yaml
|
||||
----
|
||||
|
||||
[id="ocm-cli-verify-wif-commands_{context}"]
|
||||
== Verifying a WIF configuration
|
||||
You can verify that the configuration of resources associated with a WIF configuration are correct by running the `ocm gcp verify wif-config` command. If a misconfiguration is found, the output provides details about the misconfiguration and recommends that you update the WIF configuration.
|
||||
|
||||
You need the name and ID of the WIF configuration you want to verify before verification.
|
||||
To obtain the name and ID of your active WIF configurations, run the following command:
|
||||
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp list wif-configs
|
||||
----
|
||||
|
||||
To determine if the WIF configuration you want to verify is configured correctly, run the following command:
|
||||
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp verify wif-config <wif_config_name>|<wif_config_id> <1>
|
||||
----
|
||||
<1> Replace `<wif_config_name>` and `<wif_config_id>` with the name and ID of your WIF configuration, respectively.
|
||||
|
||||
--
|
||||
.Example output
|
||||
[source,terminal]
|
||||
----
|
||||
Error: verification failed with error: missing role 'compute.storageAdmin'.
|
||||
Running 'ocm gcp update wif-config' may fix errors related to cloud resource misconfiguration.
|
||||
exit status 1.
|
||||
----
|
||||
--
|
||||
====
|
||||
@@ -1,12 +1,20 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="create-wif-cluster-ocm_{context}"]
|
||||
= Creating a Workload Identity Federation cluster using {cluster-manager}
|
||||
|
||||
[role="_abstract"]
|
||||
Follow the steps in this procedure to create an {product-title} cluster on {gcp-full} using Workload Identity Federation (WIF) for authentication through the {cluster-manager} web console
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You have created a WIF configuration. For more information, see "Creating a Workload Identity Federation configuration".
|
||||
* You have access to the {cluster-manager} web console. For more information, see _Accessing {cluster-manager}_ in the _Additional resources_ section.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Log in to {cluster-manager-url} and click *Create cluster* on the {product-title} card.
|
||||
@@ -30,26 +38,7 @@ Workload Identity Federation (WIF), {gcp-full}'s recommended method of authentic
|
||||
.. Read and complete all the required prerequisites.
|
||||
|
||||
.. Click the checkbox indicating that you have read and completed all the required prerequisites.
|
||||
|
||||
+
|
||||
. To create a new WIF configuration, open a terminal window and run the following OCM CLI command.
|
||||
+
|
||||
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp create wif-config --name <wif_name> \ <1>
|
||||
--project <gcp_project_id> \ <2>
|
||||
--version <osd_version> <3>
|
||||
--federated-project <gcp_project_id> <4>
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of your WIF configuration.
|
||||
<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
|
||||
<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
|
||||
<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If `--federated-project` is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project flag`.
|
||||
+
|
||||
. Select a configured WIF configuration from the *WIF configuration* drop-down list. If you want to select the WIF configuration you created in the last step, click *Refresh* first.
|
||||
+
|
||||
|
||||
. Select a configured WIF configuration from the *WIF configuration* drop-down list.
|
||||
. Click *Next*.
|
||||
. On the *Details* page, provide a name for your cluster and specify the cluster details:
|
||||
.. In the *Cluster name* field, enter a name for your cluster.
|
||||
@@ -212,7 +201,7 @@ If the cluster privacy is set to *Private*, you cannot access your cluster until
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
You can review the end-of-life dates in the update lifecycle documentation for {product-title}. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#osd-life-cycle[OpenShift Dedicated update life cycle].
|
||||
You can review the end-of-life dates in the update lifecycle documentation for {product-title}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#osd-life-cycle[OpenShift Dedicated update life cycle].
|
||||
====
|
||||
+
|
||||
.. Provide administrator approval based on your cluster update method:
|
||||
|
||||
135
modules/create-wif-configuration.adoc
Normal file
135
modules/create-wif-configuration.adoc
Normal file
@@ -0,0 +1,135 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="create-wif-configuration_{context}"]
|
||||
= Creating a Workforce Identity Federation configuration
|
||||
|
||||
[role="_abstract"]
|
||||
|
||||
You can create a WIF configuration using the `auto` mode or the `manual` mode in the `ocm` CLI.
|
||||
|
||||
The `auto` mode enables you to automatically create the service accounts for {product-title} components as well as other IAM resources.
|
||||
|
||||
Alternatively, you can use the `manual` mode. In `manual` mode, you are provided with commands within a `script.sh` file which you use to manually create the service accounts for {product-title} components as well as other IAM resources.
|
||||
|
||||
.Procedure
|
||||
|
||||
* Based on your mode preference, run one of the following commands to create a WIF configuration:
|
||||
|
||||
** Create a WIF configuration in auto mode by running the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp create wif-config --name <wif_name> \ <1>
|
||||
--project <gcp_project_id> \ <2>
|
||||
--version <osd_version> <3>
|
||||
--federated-project <gcp_project_id> <4>
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of your WIF configuration.
|
||||
<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
|
||||
<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
|
||||
<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project` flag.
|
||||
+
|
||||
[IMPORTANT]
|
||||
=====
|
||||
Using a dedicated project to create and manage workload identity pools and providers is recommended by {GCP}.
|
||||
Using a dedicated project helps you to establish centralized governance over the configuration of workload identity pools and providers, enforce uniform attribute mappings and conditions throughout all projects and applications, and ensure that only authorized identity providers can authenticate with WIF.
|
||||
|
||||
Creating and managing workload identity pools and providers in a dedicated project is only allowed during initial WIF configuration creation. The `--federated-project` flag cannot be applied to existing `wif-configs`.
|
||||
|
||||
For more information, see link:https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project[Use a dedicated project to manage workload identity pools and providers].
|
||||
=====
|
||||
+
|
||||
--
|
||||
**Example output**
|
||||
[source,terminal]
|
||||
----
|
||||
2024/09/26 13:05:41 Creating workload identity configuration...
|
||||
2024/09/26 13:05:47 Workload identity pool created with name 2e1kcps6jtgla8818vqs8tbjjls4oeub
|
||||
2024/09/26 13:05:47 workload identity provider created with name oidc
|
||||
2024/09/26 13:05:48 IAM service account osd-worker-oeub created
|
||||
2024/09/26 13:05:49 IAM service account osd-control-plane-oeub created
|
||||
2024/09/26 13:05:49 IAM service account openshift-gcp-ccm-oeub created
|
||||
2024/09/26 13:05:50 IAM service account openshift-gcp-pd-csi-driv-oeub created
|
||||
2024/09/26 13:05:50 IAM service account openshift-image-registry-oeub created
|
||||
2024/09/26 13:05:51 IAM service account openshift-machine-api-gcp-oeub created
|
||||
2024/09/26 13:05:51 IAM service account osd-deployer-oeub created
|
||||
2024/09/26 13:05:52 IAM service account cloud-credential-operator-oeub created
|
||||
2024/09/26 13:05:52 IAM service account openshift-cloud-network-c-oeub created
|
||||
2024/09/26 13:05:53 IAM service account openshift-ingress-gcp-oeub created
|
||||
2024/09/26 13:05:55 Role "osd_deployer_v4.19" updated
|
||||
----
|
||||
--
|
||||
+
|
||||
** Create a WIF configuration in manual mode by running the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp create wif-config --name <wif_name> \ <1>
|
||||
--project <gcp_project_id> \ <2>
|
||||
--mode=manual
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of your WIF configuration.
|
||||
<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
|
||||
+
|
||||
Once the WIF is configured, the following service accounts, roles, and groups are created.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
Red{nbsp}Hat custom roles are versioned with every OpenShift y-stream release, for example 4.19.
|
||||
====
|
||||
+
|
||||
.WIF configuration service accounts, group and roles
|
||||
[cols="2a,3a",options="header"]
|
||||
|===
|
||||
|
||||
|Service Account/Group
|
||||
|{gcp-short} pre-defined roles and Red Hat custom roles
|
||||
|
||||
|
||||
|osd-deployer
|
||||
|osd_deployer_v<y-stream-version>
|
||||
|
||||
|osd-control-plane
|
||||
|- compute.instanceAdmin
|
||||
- compute.networkAdmin
|
||||
- compute.securityAdmin
|
||||
- compute.storageAdmin
|
||||
|
||||
|osd-worker
|
||||
|- compute.storageAdmin
|
||||
- compute.viewer
|
||||
|
||||
|cloud-credential-operator-gcp-ro-creds
|
||||
|cloud_credential_operator_gcp_ro_creds_v<y-stream-version>
|
||||
|
||||
|openshift-cloud-network-config-controller-gcp
|
||||
|openshift_cloud_network_config_controller_gcp_v<y-stream-version>
|
||||
|
||||
|openshift-gcp-ccm
|
||||
|openshift_gcp_ccm_v<y-stream-version>
|
||||
|
||||
|openshift-gcp-pd-csi-driver-operator
|
||||
|- compute.storageAdmin
|
||||
- iam.serviceAccountUser
|
||||
- resourcemanager.tagUser
|
||||
- openshift_gcp_pd_csi_driver_operator_v<y-stream-version>
|
||||
|
||||
|openshift-image-registry-gcp
|
||||
|openshift_image_registry_gcs_v<y-stream-version>
|
||||
|
||||
|openshift-ingress-gcp
|
||||
|openshift_ingress_gcp_v<y-stream-version>
|
||||
|
||||
|openshift-machine-api-gcp
|
||||
|openshift_machine_api_gcp_v<y-stream-version>
|
||||
|
||||
|Access via SRE group:sd-sre-platform-gcp-access
|
||||
|sre_managed_support
|
||||
|===
|
||||
+
|
||||
For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
|
||||
|
||||
|
||||
31
modules/ocm-cli-list-wif-commands.adoc
Normal file
31
modules/ocm-cli-list-wif-commands.adoc
Normal file
@@ -0,0 +1,31 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="ocm-cli-list-wif-commands_{context}"]
|
||||
= Listing Workforce Identity Federation clusters
|
||||
|
||||
[role="_abstract"]
|
||||
You can list {product-title} clusters that have been deployed using Workload Identity Federation (WIF) authentication by using the {cluster-manager} CLI (`ocm`).
|
||||
|
||||
.Procedure
|
||||
|
||||
* To list all of your {product-title} clusters that have been deployed using the WIF authentication type, run one of the following commands:
|
||||
+
|
||||
** Using the `--parameter` flag with the `search` option:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm list clusters --parameter search="gcp.authentication.wif_config_id != ''"
|
||||
----
|
||||
+
|
||||
** Using a specific wif-config ID to filter the clusters associated with that configuration:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm list clusters --parameter search="gcp.authentication.wif_config_id = '<wif_config_id>'" <1>
|
||||
----
|
||||
<1> Replace `<wif_config_id>` with the ID of the WIF configuration.
|
||||
|
||||
|
||||
37
modules/ocm-cli-verify-wif-commands.adoc
Normal file
37
modules/ocm-cli-verify-wif-commands.adoc
Normal file
@@ -0,0 +1,37 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
|
||||
[id="ocm-cli-verify-wif-commands_{context}"]
|
||||
= Verifying a Workforce Identity Federation configuration
|
||||
|
||||
[role="_abstract"]
|
||||
You can verify that the configuration of resources associated with a WIF configuration are correct by running the `ocm gcp verify wif-config` command. If a misconfiguration is found, the output provides details about the misconfiguration and recommends that you update the WIF configuration.
|
||||
|
||||
You need the name and ID of the WIF configuration you want to verify before verification.
|
||||
To obtain the name and ID of your active WIF configurations, run the following command:
|
||||
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp list wif-configs
|
||||
----
|
||||
|
||||
To determine if the WIF configuration you want to verify is configured correctly, run the following command:
|
||||
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm gcp verify wif-config <wif_config_name>|<wif_config_id> <1>
|
||||
----
|
||||
<1> Replace `<wif_config_name>` and `<wif_config_id>` with the name and ID of your WIF configuration, respectively.
|
||||
|
||||
--
|
||||
**Example output**
|
||||
[source,terminal]
|
||||
----
|
||||
Error: verification failed with error: missing role 'compute.storageAdmin'.
|
||||
Running 'ocm gcp update wif-config' may fix errors related to cloud resource misconfiguration.
|
||||
exit status 1.
|
||||
----
|
||||
--
|
||||
57
modules/wif-configuration-update.adoc
Normal file
57
modules/wif-configuration-update.adoc
Normal file
@@ -0,0 +1,57 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
|
||||
[id="wif-configuration-update_{context}"]
|
||||
= Updating a Workforce Identity Federation configuration
|
||||
|
||||
[role="_abstract"]
|
||||
You can update an existing Workload Identity Federation (WIF) configuration to support newer {product-title} y-stream versions and to align with the latest security best practices.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Updating a WIF configuration is only applicable for y-stream updates. For an overview of the update process, including details regarding version semantics, see link:https://www.redhat.com/en/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators#:~:text=Ongoing%20security%20patches%20and%20bug,is%20the%20dark%20green%20bar.[The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators].
|
||||
====
|
||||
Before upgrading a WIF-enabled {product-title} cluster to a newer version, you must update the wif-config to that version as well. If you do not update the wif-config version before attempting to upgrade the cluster version, the cluster version upgrade will fail.
|
||||
|
||||
As part of Red{nbsp}Hat's ongoing commitment to the principle of least privilege, certain permissions previously assigned to the `osd-deployer` service account in WIF configurations have been removed. These changes help enhance the security of your clusters by ensuring that service accounts have only the permissions they need to perform their functions.
|
||||
|
||||
For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
|
||||
|
||||
To align your existing WIF configurations with these updated permissions, you can run the `ocm gcp update wif-config` command. This command updates the WIF configuration to include the latest permissions and roles required for optimal operation.
|
||||
|
||||
When you update a wif-config or create a new one, ensure your {cluster-manager} CLI (`ocm`) is up to date. Not updating to the latest version of the `ocm` can result in error messages and service disruptions.
|
||||
|
||||
**Example output**
|
||||
[source,text]
|
||||
----
|
||||
Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again.
|
||||
----
|
||||
|
||||
.Procedure
|
||||
. To check the version of your `ocm`, run the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ ocm version
|
||||
----
|
||||
+
|
||||
. Optional: If your `ocm` version is not the latest available, download and install the latest version from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}.
|
||||
+
|
||||
. Update a wif-config to a specific {product-title} version by running the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
ocm gcp update wif-config <wif_name> \ <1>
|
||||
--version <version> <2>
|
||||
----
|
||||
<1> Replace `<wif_name>` with the name of the WIF configuration you want to update.
|
||||
<2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17).
|
||||
|
||||
.Next steps
|
||||
|
||||
The stale set of permissions previously assigned to the `osd-deployer` service account will remain on the account after updating the wif-config. You need to manually access the roles and remove these stale permissions from them.
|
||||
|
||||
Follow the instructions in the "Removing stale deployer permissions from service accounts managed by a WIF configuration" and "Removing stale support permissions from service accounts managed by a WIF configuration" guides to remove these stale permissions.
|
||||
@@ -1,15 +1,16 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
|
||||
// *osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
[id="workload-identity-federation-overview_{context}"]
|
||||
= Workload Identity Federation overview
|
||||
|
||||
[role="_abstract"]
|
||||
Workload Identity Federation (WIF) is a {GCP} Identity and Access Management (IAM) feature that provides third parties a secure method to access resources on a customer's cloud account. WIF eliminates the need for service account keys, and is {gcp-full}'s preferred method of credential authentication.
|
||||
|
||||
While service account keys can provide powerful access to your {gcp-full} resources, they must be maintained by the user and can be a security risk if they are not managed properly. WIF does not use service keys as an access method for your Google cloud resources. Instead, WIF grants access by using credentials from external identity providers to generate short-lived credentials for workloads. The workloads can then use these credentials to temporarily impersonate service accounts and access {gcp-full} resources. This removes the burden of having to properly maintain service account keys, and removes the risk of unauthorized users gaining access to service account keys.
|
||||
While service account keys can provide powerful access to your {gcp-full} resources, they must be maintained by the user and can be a security risk if they are not managed properly. WIF does not use service keys as an access method for your {gcp-full} resources. Instead, WIF grants access by using credentials from external identity providers to generate short-lived credentials for workloads. The workloads can then use these credentials to temporarily impersonate service accounts and access {gcp-full} resources. This removes the burden of having to properly maintain service account keys, and removes the risk of unauthorized users gaining access to service account keys.
|
||||
|
||||
The following bulleted items provides a basic overview of the Workload Identity Federation process:
|
||||
|
||||
|
||||
50
modules/wif-removing-stale-deployer-permissions.adoc
Normal file
50
modules/wif-removing-stale-deployer-permissions.adoc
Normal file
@@ -0,0 +1,50 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
|
||||
[id="wif-removing-stale-deployer-permissions_{context}"]
|
||||
= Removing stale deployer permissions from service accounts managed by a WIF configuration
|
||||
|
||||
[role="_abstract"]
|
||||
To remove the stale deployer permissions from service accounts managed by a WIF configuration, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Retrieve the existing role definition, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles describe \
|
||||
osd_deployer_v4.18 \
|
||||
--project $PROJECT_ID \
|
||||
--format=yaml > /tmp/role.yaml
|
||||
----
|
||||
+
|
||||
. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ cat /tmp/role.yaml | \
|
||||
grep -v "resourcemanager.projects.setIamPolicy" | \
|
||||
grep -v "iam.serviceAccounts.signBlob" | \
|
||||
grep -v "iam.serviceAccounts.actAs" > /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ diff /tmp/role.yaml /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles update \
|
||||
osd_deployer_v4.18 \
|
||||
--project=$PROJECT_ID \
|
||||
--file=/tmp/updated_role.yaml
|
||||
----
|
||||
41
modules/wif-removing-stale-support-permissions.adoc
Normal file
41
modules/wif-removing-stale-support-permissions.adoc
Normal file
@@ -0,0 +1,41 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
|
||||
[id="wif-removing-stale-support-permissions_{context}"]
|
||||
= Removing stale support permissions from service accounts managed by a WIF configuration
|
||||
|
||||
[role="_abstract"]
|
||||
To remove stale support permissions, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Retrieve the existing role defintion, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles describe sre_managed_support --project $PROJECT_ID --format=yaml > /tmp/role.yaml
|
||||
----
|
||||
+
|
||||
. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ cat /tmp/role.yaml | grep -v "compute.firewalls.create" > /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ diff /tmp/role.yaml /tmp/updated_role.yaml
|
||||
----
|
||||
+
|
||||
. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ gcloud iam roles update sre_managed_support --project $PROJECT_ID --file=/tmp/updated_role.yaml
|
||||
----
|
||||
31
modules/wif-requirements.adoc
Normal file
31
modules/wif-requirements.adoc
Normal file
@@ -0,0 +1,31 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
||||
|
||||
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
[id="workload-identity-federation-requirements_{context}"]
|
||||
= Workload Identity Federation requirements
|
||||
|
||||
[role="_abstract"]
|
||||
You must complete the following prerequisites before creating a Workload Identity Federation (WIF) cluster using {cluster-manager} the `ocm` CLI.
|
||||
|
||||
* You have an active {gcp-full} account with the necessary permissions to create and manage resources required for deploying an {product-title} cluster using WIF authentication.
|
||||
* You have confirmed your {gcp-full} account has the necessary resource quotas and limits to support your desired cluster size according to the cluster resource requirements.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
For more information regarding resource quotas and limits, see _Resource quotas per project_ in the _Additional resources_ section.
|
||||
====
|
||||
+
|
||||
* You have reviewed _Understanding {product-title}_ and _Architecture overview_.
|
||||
* You have reviewed _Understanding your cloud deployment options_.
|
||||
* You have read and completed the _Required customer procedure_.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
WIF supports the deployment of a private {product-title} on {GCP} cluster with Private Service Connect (PSC). Red Hat recommends using PSC when deploying private clusters.
|
||||
For more information about the prerequisites for PSC, see _Prerequisites for Private Service Connect_.
|
||||
====
|
||||
|
||||
|
||||
@@ -4,45 +4,61 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
= Creating a cluster on {gcp-short} with Workload Identity Federation authentication
|
||||
:context: osd-creating-a-cluster-on-gcp-with-workload-identity-federation
|
||||
|
||||
[role="_abstract"]
|
||||
As a system administrator or cloud engineer, you can provision an {product-title} cluster on {GCP} using Workload Identity Federation (WIF). This feature establishes a trust relationship that allows your cluster's control plane and workloads to securely assume the necessary {GCP} roles and access required services. This approach eliminates the security risk and operational overhead associated with managing and rotating long-lived {GCP} service account keys.
|
||||
|
||||
toc::[]
|
||||
|
||||
include::modules/wif-overview.adoc[leveloffset=+1]
|
||||
|
||||
[id="osd-creating-a-cluster-on-gcp-prerequisites1_{context}"]
|
||||
== Prerequisites
|
||||
You must complete the following prerequisites before xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-ocm_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a Workload Identity Federation cluster using OpenShift Cluster Manager] and xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a Workload Identity Federation cluster using the OCM CLI].
|
||||
|
||||
|
||||
* You have confirmed your {gcp-full} account has the necessary resource quotas and limits to support your desired cluster size according to the cluster resource requirements.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
For more information regarding resource quotas and limits, see _Additional resources_.
|
||||
====
|
||||
|
||||
* You have confirmed your {gcp-full} account has the necessary resource quotas and limits to support your desired cluster size according to the cluster resource requirements. For more information regarding resource quotas and limits, see _Additional resources_.
|
||||
* You have reviewed the xref:../osd_architecture/osd-understanding.adoc#osd-understanding[introduction to {product-title}] and the documentation on xref:../architecture/index.adoc#architecture-overview[architecture concepts].
|
||||
* You have reviewed the xref:../osd_getting_started/osd-understanding-your-cloud-deployment-options.adoc#osd-understanding-your-cloud-deployment-options[{product-title} cloud deployment options].
|
||||
|
||||
* You have read and completed the xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-procedure_gcp-ccs[Required customer procedure].
|
||||
* You have downloaded the latest version of the {cluster-manager} CLI (`ocm`) for your operating system from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}.
|
||||
+
|
||||
[IMPORTANT]
|
||||
====
|
||||
[subs="attributes+"]
|
||||
The `ocm` is a Developer Preview feature only.
|
||||
For more information about the support scope of Red Hat Developer Preview features, see link:https://access.redhat.com/support/offerings/devpreview/[Developer Preview Support Scope].
|
||||
====
|
||||
+
|
||||
* You have created a Workload Identity Federation configuration. For more information, see _Creating a Workforce Identity Federation configuration_.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
WIF supports the deployment of a private {product-title} on {GCP} cluster with Private Service Connect (PSC). Red Hat recommends using PSC when deploying private clusters.
|
||||
WIF supports the deployment of a private {product-title} on {GCP} cluster with Private Service Connect (PSC). Red{nbsp}Hat recommends using PSC when deploying private clusters.
|
||||
For more information about the prerequisites for PSC, see xref:../osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc#private-service-connect-prereqs[Prerequisites for Private Service Connect].
|
||||
====
|
||||
|
||||
include::modules/create-wif-configuration.adoc[leveloffset=+1]
|
||||
include::modules/create-wif-cluster-ocm.adoc[leveloffset=+1]
|
||||
|
||||
.Additional resources
|
||||
|
||||
* xref:../ocm/ocm-overview.adoc#accessing_ocm[Accessing {cluster-manager}]
|
||||
|
||||
include::modules/create-wif-cluster-cli.adoc[leveloffset=+1]
|
||||
include::modules/ocm-cli-list-wif-commands.adoc[leveloffset=+1]
|
||||
include::modules/wif-configuration-update.adoc[leveloffset=+1]
|
||||
include::modules/wif-removing-stale-deployer-permissions.adoc[leveloffset=+2]
|
||||
include::modules/wif-removing-stale-support-permissions.adoc[leveloffset=+2]
|
||||
include::modules/ocm-cli-verify-wif-commands.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
[role="_additional-resources"]
|
||||
== Additional resources
|
||||
|
||||
* For information about {product-title} clusters using a Customer Cloud Subscription (CCS) model on {GCP}, see xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-requirements_gcp-ccs[Customer requirements].
|
||||
* For information about resource quotas, xref:../applications/quotas/quotas-setting-per-project.adoc[Resource quotas per project].
|
||||
* For information about limits, xref:../osd_planning/gcp-ccs.adoc#gcp-limits_gcp-ccs[{gcp-short} account limits].
|
||||
* For information about required APIs, see xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-procedure_gcp-ccs[Required customer procedure].
|
||||
* For information about managing workload identity pools, see link:https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers[Manage workload identity pools and providers].
|
||||
* For information about managing roles and permissions in your {gcp-full} account, see link:https://cloud.google.com/iam/docs/roles-overview[Roles and permissions].
|
||||
* For a list of the supported maximums, see xref:../osd_planning/osd-limits-scalability.adoc#tested-cluster-maximums-sd_osd-limits-scalability[Cluster maximums].
|
||||
* For information about configuring identity providers, see xref:../authentication/sd-configuring-identity-providers.adoc#sd-configuring-identity-providers[Configuring identity providers].
|
||||
* For information about revoking cluster privileges, see xref:../authentication/osd-revoking-cluster-privileges.adoc#osd-revoking-cluster-privileges[Revoking privileges and access to an {product-title} cluster].
|
||||
* xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-requirements_gcp-ccs[Customer requirements]
|
||||
* xref:../applications/quotas/quotas-setting-per-project.adoc#quotas-setting-per-project[Resource quotas per project]
|
||||
* xref:../osd_planning/gcp-ccs.adoc#gcp-limits_gcp-ccs[{gcp-short} account limits]
|
||||
* xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-procedure_gcp-ccs[Required customer procedure]
|
||||
* link:https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers[Manage workload identity pools and providers]
|
||||
* link:https://cloud.google.com/iam/docs/roles-overview[Roles and permissions]
|
||||
* xref:../osd_planning/osd-limits-scalability.adoc#tested-cluster-maximums-sd_osd-limits-scalability[Cluster maximums]
|
||||
* xref:../authentication/sd-configuring-identity-providers.adoc#sd-configuring-identity-providers[Configuring identity providers]
|
||||
* xref:../authentication/osd-revoking-cluster-privileges.adoc#osd-revoking-cluster-privileges[Revoking privileges and access to an {product-title} cluster]
|
||||
Reference in New Issue
Block a user