mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
67 lines
5.2 KiB
Plaintext
67 lines
5.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
|
|
[id="wif-configuration-update_{context}"]
|
|
= Updating a Workload Identity Federation configuration
|
|
|
|
[role="_abstract"]
|
|
You can update an existing Workload Identity Federation (WIF) configuration to support newer {product-title} y-stream versions and to align with the latest security best practices.
|
|
|
|
[NOTE]
|
|
====
|
|
Updating a WIF configuration is only applicable for y-stream updates. For an overview of the update process, including details regarding version semantics, see link:https://www.redhat.com/en/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators#:~:text=Ongoing%20security%20patches%20and%20bug,is%20the%20dark%20green%20bar.[The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators].
|
|
====
|
|
Before upgrading a WIF-enabled {product-title} cluster to a newer version, you must update the wif-config to that version as well. If you do not update the wif-config version before attempting to upgrade the cluster version, the cluster version upgrade will fail.
|
|
|
|
As part of Red{nbsp}Hat's ongoing commitment to the principle of least privilege, certain permissions previously assigned to the `osd-deployer` service account in WIF configurations have been removed. These changes help enhance the security of your clusters by ensuring that service accounts have only the permissions they need to perform their functions.
|
|
|
|
For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
|
|
|
|
To align your existing WIF configurations with these updated permissions, you can run the `ocm gcp update wif-config` command. This command updates the WIF configuration to include the latest permissions and roles required for optimal operation.
|
|
|
|
When you update a wif-config or create a new one, ensure your {cluster-manager} CLI (`ocm`) is up to date. Not updating to the latest version of the `ocm` can result in error messages and service disruptions.
|
|
|
|
**Example output**
|
|
[source,text]
|
|
----
|
|
Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again.
|
|
----
|
|
|
|
You can also update an existing {product-title} cluster that is already using WIF by adding a dedicated project to manage workload identity pools and providers using the `--federated-project` flag. This best-practice model separates the workload identity pools and providers into a dedicated, centralized {GCP} project.
|
|
|
|
When you update the configuration using the `--federated-project` flag, any associated workload identity pools move to the new federated project you specify, while the existing IAM service accounts and custom roles remain in the original cluster-associated project.
|
|
|
|
.Procedure
|
|
. To check the version of your `ocm`, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ocm version
|
|
----
|
|
+
|
|
. Optional: If your `ocm` version is not the latest available, download and install the latest version from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}.
|
|
+
|
|
. Update a wif-config to a specific {product-title} version by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
ocm gcp update wif-config <wif_name> \ <1>
|
|
--version <version> <2>
|
|
--federated-project <gcp_project_id> <3>
|
|
----
|
|
<1> Replace `<wif_name>` with the name of the WIF configuration you want to update.
|
|
<2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17).
|
|
<3> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will remain in the project associated with the cluster.
|
|
|
|
.Next steps
|
|
|
|
The stale set of permissions previously assigned to the `osd-deployer` service account will remain on the account after updating the wif-config. You need to manually access the roles and remove these stale permissions from them.
|
|
|
|
Follow the instructions in the "Removing stale deployer permissions from service accounts managed by a WIF configuration" and "Removing stale support permissions from service accounts managed by a WIF configuration" guides to remove these stale permissions.
|
|
|
|
In addition, if you used the `--federated-project` flag to move the workload identity pool to a new dedicated project, you can manually remove the stale workload identity pool from the original cluster-associated project.
|
|
For more information, see link:https://docs.cloud.google.com/iam/docs/manage-workload-identity-pools-providers#delete-pool[Delete a pool] in the {GCP} documentation.
|