From ca68798a4e2945e89c24c2628d2a2e75f7106ad5 Mon Sep 17 00:00:00 2001 From: Steven Smith Date: Fri, 13 Sep 2024 11:13:55 -0400 Subject: [PATCH] Updates Azure ID to Microsoft Entra Workload ID --- release_notes/ocp-4-17-release-notes.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/release_notes/ocp-4-17-release-notes.adoc b/release_notes/ocp-4-17-release-notes.adoc index 4ae84896af..c04360277c 100644 --- a/release_notes/ocp-4-17-release-notes.adoc +++ b/release_notes/ocp-4-17-release-notes.adoc @@ -1011,15 +1011,15 @@ BMER was deprecated in {product-title} version 4.15 and 4.16. With this release, [id="ocp-4-17-image-registry-bug-fixes_{context}"] ==== Image Registry -* In {product-title} 4.14, installing a cluster with Azure AD Workload Identity was made generally available. With that feature, administrators can configure a Microsoft Azure cluster to use Azure AD Workload Identity. With Azure AD Workload Identity, cluster components use temporary security credentials that are managed outside of the cluster. +* In {product-title} 4.14, installing a cluster with {entra-first} was made generally available. With this feature, administrators can configure a Microsoft Azure cluster to use {entra-short}. With {entra-short}, cluster components use temporary security credentials that are managed outside of the cluster. + -Previously, when {product-title} was deployed on Azure clusters with Azure AD Workload Identity, storage accounts created for the cluster and the image registry had *Storage Account Key Access* enabled by default, which could pose security risks to the deployment. +Previously, when {product-title} was deployed on Azure clusters with {entra-short}, storage accounts created for the cluster and the image registry had *Storage Account Key Access* enabled by default, which could pose security risks to the deployment. + -With this update, shared access keys are disabled by default on new installations that use Azure AD Workload Identity, enhancing security by preventing the use of shared access keys. +With this update, shared access keys are disabled by default on new installations that use {entra-short}, enhancing security by preventing the use of shared access keys. + [IMPORTANT] ==== -Shared access keys should only be disabled if the cluster is configured to use Azure AD Workload Identity. Disabling shared access keys on a cluster not configured with Azure AD Workload Identity can cause the Image Registry Operator to become degraded. +Shared access keys should only be disabled if the cluster is configured to use {entra-short}. Disabling shared access keys on a cluster not configured with {entra-first} can cause the Image Registry Operator to become degraded. ==== + For existing storage accounts created before this update, shared access keys are not automatically disabled. Administrators must manually disable shared access key support on these storage accounts to prevent the use of shared keys. For more information about disabling shared access keys, see link:https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal[Prevent Shared Key authorization for an Azure Storage account].