openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/cco-short-term-creds-component-permissions-azure.adoc
Jeana Routh 0294656752 Adds attribute for Cluster CAPI Operator
2024-06-26 18:11:23 +00:00

136 lines
5.5 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc
:_mod-docs-content-type: REFERENCE
[id="cco-short-term-creds-component-permissions-azure_{context}"]
= Azure component secret permissions requirements
{product-title} components require the following permissions. These values are in the `CredentialsRequest` custom resource (CR) for each component.
[cols="a,a,a"]
|====
|Component |Custom resource |Required permissions for services
|Cloud Controller Manager Operator
|`openshift-azure-cloud-controller-manager`
|* `Microsoft.Compute/virtualMachines/read`
* `Microsoft.Network/loadBalancers/read`
* `Microsoft.Network/loadBalancers/write`
* `Microsoft.Network/networkInterfaces/read`
* `Microsoft.Network/networkSecurityGroups/read`
* `Microsoft.Network/networkSecurityGroups/write`
* `Microsoft.Network/publicIPAddresses/join/action`
* `Microsoft.Network/publicIPAddresses/read`
* `Microsoft.Network/publicIPAddresses/write`
|{cluster-capi-operator}
|`openshift-cluster-api-azure`
|role: `Contributor` ^[1]^
|Machine API Operator
|`openshift-machine-api-azure`
|* `Microsoft.Compute/availabilitySets/delete`
* `Microsoft.Compute/availabilitySets/read`
* `Microsoft.Compute/availabilitySets/write`
* `Microsoft.Compute/diskEncryptionSets/read`
* `Microsoft.Compute/disks/delete`
* `Microsoft.Compute/galleries/images/versions/read`
* `Microsoft.Compute/skus/read`
* `Microsoft.Compute/virtualMachines/delete`
* `Microsoft.Compute/virtualMachines/extensions/delete`
* `Microsoft.Compute/virtualMachines/extensions/read`
* `Microsoft.Compute/virtualMachines/extensions/write`
* `Microsoft.Compute/virtualMachines/read`
* `Microsoft.Compute/virtualMachines/write`
* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
* `Microsoft.Network/applicationSecurityGroups/read`
* `Microsoft.Network/loadBalancers/backendAddressPools/join/action`
* `Microsoft.Network/loadBalancers/read`
* `Microsoft.Network/loadBalancers/write`
* `Microsoft.Network/networkInterfaces/delete`
* `Microsoft.Network/networkInterfaces/join/action`
* `Microsoft.Network/networkInterfaces/loadBalancers/read`
* `Microsoft.Network/networkInterfaces/read`
* `Microsoft.Network/networkInterfaces/write`
* `Microsoft.Network/networkSecurityGroups/read`
* `Microsoft.Network/networkSecurityGroups/write`
* `Microsoft.Network/publicIPAddresses/delete`
* `Microsoft.Network/publicIPAddresses/join/action`
* `Microsoft.Network/publicIPAddresses/read`
* `Microsoft.Network/publicIPAddresses/write`
* `Microsoft.Network/routeTables/read`
* `Microsoft.Network/virtualNetworks/delete`
* `Microsoft.Network/virtualNetworks/read`
* `Microsoft.Network/virtualNetworks/subnets/join/action`
* `Microsoft.Network/virtualNetworks/subnets/read`
* `Microsoft.Resources/subscriptions/resourceGroups/read`
|Cluster Image Registry Operator
|`openshift-image-registry-azure`
|**Data permissions**
* `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
* `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
* `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
* `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action`
* `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action`
**General permissions**
* `Microsoft.Storage/storageAccounts/blobServices/read`
* `Microsoft.Storage/storageAccounts/blobServices/containers/read`
* `Microsoft.Storage/storageAccounts/blobServices/containers/write`
* `Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action`
* `Microsoft.Storage/storageAccounts/read`
* `Microsoft.Storage/storageAccounts/write`
* `Microsoft.Storage/storageAccounts/delete`
* `Microsoft.Storage/storageAccounts/listKeys/action`
* `Microsoft.Resources/tags/write`
|Ingress Operator
|`openshift-ingress-azure`
|* `Microsoft.Network/dnsZones/A/delete`
* `Microsoft.Network/dnsZones/A/write`
* `Microsoft.Network/privateDnsZones/A/delete`
* `Microsoft.Network/privateDnsZones/A/write`
|Cluster Network Operator
|`openshift-cloud-network-config-controller-azure`
|* `Microsoft.Network/networkInterfaces/read`
* `Microsoft.Network/networkInterfaces/write`
* `Microsoft.Compute/virtualMachines/read`
* `Microsoft.Network/virtualNetworks/read`
* `Microsoft.Network/virtualNetworks/subnets/join/action`
* `Microsoft.Network/loadBalancers/backendAddressPools/join/action`
|Azure File CSI Driver Operator
|`azure-file-csi-driver-operator`
|* `Microsoft.Network/networkSecurityGroups/join/action`
* `Microsoft.Network/virtualNetworks/subnets/read`
* `Microsoft.Network/virtualNetworks/subnets/write`
* `Microsoft.Storage/storageAccounts/delete`
* `Microsoft.Storage/storageAccounts/fileServices/read`
* `Microsoft.Storage/storageAccounts/fileServices/shares/delete`
* `Microsoft.Storage/storageAccounts/fileServices/shares/read`
* `Microsoft.Storage/storageAccounts/fileServices/shares/write`
* `Microsoft.Storage/storageAccounts/listKeys/action`
* `Microsoft.Storage/storageAccounts/read`
* `Microsoft.Storage/storageAccounts/write`
|Azure Disk CSI Driver Operator
|`azure-disk-csi-driver-operator`
|* `Microsoft.Compute/disks/*`
* `Microsoft.Compute/snapshots/*`
* `Microsoft.Compute/virtualMachineScaleSets/*/read`
* `Microsoft.Compute/virtualMachineScaleSets/read`
* `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write`
* `Microsoft.Compute/virtualMachines/*/read`
* `Microsoft.Compute/virtualMachines/write`
* `Microsoft.Resources/subscriptions/resourceGroups/read`
|====
[.small]
--
1. This component requires a role rather than a set of permissions.
--
View Git Blame Copy Permalink