openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Updates Azure ID to Microsoft Entra Workload ID

Browse Source
This commit is contained in:
Steven Smith
2024-09-13 11:13:55 -04:00
parent c1a5098630
commit ca68798a4e
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
release_notes/ocp-4-17-release-notes.adoc
View File

@@ -1011,15 +1011,15 @@ BMER was deprecated in {product-title} version 4.15 and 4.16. With this release,
[id="ocp-4-17-image-registry-bug-fixes_{context}"]
==== Image Registry
* In {product-title} 4.14, installing a cluster with Azure AD Workload Identity was made generally available. With that feature, administrators can configure a Microsoft Azure cluster to use Azure AD Workload Identity. With Azure AD Workload Identity, cluster components use temporary security credentials that are managed outside of the cluster.
* In {product-title} 4.14, installing a cluster with {entra-first} was made generally available. With this feature, administrators can configure a Microsoft Azure cluster to use {entra-short}. With {entra-short}, cluster components use temporary security credentials that are managed outside of the cluster.
+
Previously, when {product-title} was deployed on Azure clusters with Azure AD Workload Identity, storage accounts created for the cluster and the image registry had *Storage Account Key Access* enabled by default, which could pose security risks to the deployment.
Previously, when {product-title} was deployed on Azure clusters with {entra-short}, storage accounts created for the cluster and the image registry had *Storage Account Key Access* enabled by default, which could pose security risks to the deployment.
+
With this update, shared access keys are disabled by default on new installations that use Azure AD Workload Identity, enhancing security by preventing the use of shared access keys.
With this update, shared access keys are disabled by default on new installations that use {entra-short}, enhancing security by preventing the use of shared access keys.
+
[IMPORTANT]
====
Shared access keys should only be disabled if the cluster is configured to use Azure AD Workload Identity. Disabling shared access keys on a cluster not configured with Azure AD Workload Identity can cause the Image Registry Operator to become degraded.
Shared access keys should only be disabled if the cluster is configured to use {entra-short}. Disabling shared access keys on a cluster not configured with {entra-first} can cause the Image Registry Operator to become degraded.
====
+
For existing storage accounts created before this update, shared access keys are not automatically disabled. Administrators must manually disable shared access key support on these storage accounts to prevent the use of shared keys. For more information about disabling shared access keys, see link:https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal[Prevent Shared Key authorization for an Azure Storage account].