mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
354 lines
12 KiB
Plaintext
354 lines
12 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="hcp-managed-aws-iam_{context}"]
|
|
= Identity and Access Management (IAM) permissions
|
|
|
|
In the context of {hcp}, the consumer is responsible to create the Amazon Resource Name (ARN) roles. The _consumer_ is an automated process to generate the permissions files. The consumer might be the CLI or {cluster-manager}. {hcp-capital} can enable granularity to honor the principle of least-privilege components, which means that every component uses its own role to operate or create {aws-first} objects, and the roles are limited to what is required for the product to function normally.
|
|
|
|
The hosted cluster receives the ARN roles as input and the consumer creates an {aws-short} permission configuration for each component. As a result, the component can authenticate through STS and preconfigured OIDC IDP.
|
|
|
|
The following roles are consumed by some of the components from {hcp} that run on the control plane and operate on the data plane:
|
|
|
|
* `controlPlaneOperatorARN`
|
|
* `imageRegistryARN`
|
|
* `ingressARN`
|
|
* `kubeCloudControllerARN`
|
|
* `nodePoolManagementARN`
|
|
* `storageARN`
|
|
* `networkARN`
|
|
|
|
The following example shows a reference to the IAM roles from the hosted cluster:
|
|
|
|
[source,yaml]
|
|
----
|
|
...
|
|
endpointAccess: Public
|
|
region: us-east-2
|
|
resourceTags:
|
|
- key: kubernetes.io/cluster/example-cluster-bz4j5
|
|
value: owned
|
|
rolesRef:
|
|
controlPlaneOperatorARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-control-plane-operator
|
|
imageRegistryARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-openshift-image-registry
|
|
ingressARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-openshift-ingress
|
|
kubeCloudControllerARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-cloud-controller
|
|
networkARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-cloud-network-config-controller
|
|
nodePoolManagementARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-node-pool
|
|
storageARN: arn:aws:iam::820196288204:role/example-cluster-bz4j5-aws-ebs-csi-driver-controller
|
|
type: AWS
|
|
...
|
|
----
|
|
|
|
The roles that {hcp} uses are shown in the following examples:
|
|
|
|
* `ingressARN`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"elasticloadbalancing:DescribeLoadBalancers",
|
|
"tag:GetResources",
|
|
"route53:ListHostedZones"
|
|
],
|
|
"Resource": "\*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"route53:ChangeResourceRecordSets"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:route53:::PUBLIC_ZONE_ID",
|
|
"arn:aws:route53:::PRIVATE_ZONE_ID"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
----
|
|
* `imageRegistryARN`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:CreateBucket",
|
|
"s3:DeleteBucket",
|
|
"s3:PutBucketTagging",
|
|
"s3:GetBucketTagging",
|
|
"s3:PutBucketPublicAccessBlock",
|
|
"s3:GetBucketPublicAccessBlock",
|
|
"s3:PutEncryptionConfiguration",
|
|
"s3:GetEncryptionConfiguration",
|
|
"s3:PutLifecycleConfiguration",
|
|
"s3:GetLifecycleConfiguration",
|
|
"s3:GetBucketLocation",
|
|
"s3:ListBucket",
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject",
|
|
"s3:ListBucketMultipartUploads",
|
|
"s3:AbortMultipartUpload",
|
|
"s3:ListMultipartUploadParts"
|
|
],
|
|
"Resource": "\*"
|
|
}
|
|
]
|
|
}
|
|
----
|
|
* `storageARN`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:AttachVolume",
|
|
"ec2:CreateSnapshot",
|
|
"ec2:CreateTags",
|
|
"ec2:CreateVolume",
|
|
"ec2:DeleteSnapshot",
|
|
"ec2:DeleteTags",
|
|
"ec2:DeleteVolume",
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeSnapshots",
|
|
"ec2:DescribeTags",
|
|
"ec2:DescribeVolumes",
|
|
"ec2:DescribeVolumesModifications",
|
|
"ec2:DetachVolume",
|
|
"ec2:ModifyVolume"
|
|
],
|
|
"Resource": "\*"
|
|
}
|
|
]
|
|
}
|
|
----
|
|
* `networkARN`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeInstanceStatus",
|
|
"ec2:DescribeInstanceTypes",
|
|
"ec2:UnassignPrivateIpAddresses",
|
|
"ec2:AssignPrivateIpAddresses",
|
|
"ec2:UnassignIpv6Addresses",
|
|
"ec2:AssignIpv6Addresses",
|
|
"ec2:DescribeSubnets",
|
|
"ec2:DescribeNetworkInterfaces"
|
|
],
|
|
"Resource": "\*"
|
|
}
|
|
]
|
|
}
|
|
----
|
|
* `kubeCloudControllerARN`
|
|
+
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": [
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeImages",
|
|
"ec2:DescribeRegions",
|
|
"ec2:DescribeRouteTables",
|
|
"ec2:DescribeSecurityGroups",
|
|
"ec2:DescribeSubnets",
|
|
"ec2:DescribeVolumes",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateTags",
|
|
"ec2:CreateVolume",
|
|
"ec2:ModifyInstanceAttribute",
|
|
"ec2:ModifyVolume",
|
|
"ec2:AttachVolume",
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:CreateRoute",
|
|
"ec2:DeleteRoute",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:DeleteVolume",
|
|
"ec2:DetachVolume",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"ec2:DescribeVpcs",
|
|
"elasticloadbalancing:AddTags",
|
|
"elasticloadbalancing:AttachLoadBalancerToSubnets",
|
|
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
|
|
"elasticloadbalancing:CreateLoadBalancer",
|
|
"elasticloadbalancing:CreateLoadBalancerPolicy",
|
|
"elasticloadbalancing:CreateLoadBalancerListeners",
|
|
"elasticloadbalancing:ConfigureHealthCheck",
|
|
"elasticloadbalancing:DeleteLoadBalancer",
|
|
"elasticloadbalancing:DeleteLoadBalancerListeners",
|
|
"elasticloadbalancing:DescribeLoadBalancers",
|
|
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
|
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
|
|
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
|
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
|
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
|
|
"elasticloadbalancing:AddTags",
|
|
"elasticloadbalancing:CreateListener",
|
|
"elasticloadbalancing:CreateTargetGroup",
|
|
"elasticloadbalancing:DeleteListener",
|
|
"elasticloadbalancing:DeleteTargetGroup",
|
|
"elasticloadbalancing:DescribeListeners",
|
|
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
|
"elasticloadbalancing:DescribeTargetGroups",
|
|
"elasticloadbalancing:DescribeTargetHealth",
|
|
"elasticloadbalancing:ModifyListener",
|
|
"elasticloadbalancing:ModifyTargetGroup",
|
|
"elasticloadbalancing:RegisterTargets",
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
|
|
"iam:CreateServiceLinkedRole",
|
|
"kms:DescribeKey"
|
|
],
|
|
"Resource": [
|
|
"\*"
|
|
],
|
|
"Effect": "Allow"
|
|
}
|
|
]
|
|
}
|
|
----
|
|
* `nodePoolManagementARN`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": [
|
|
"ec2:AllocateAddress",
|
|
"ec2:AssociateRouteTable",
|
|
"ec2:AttachInternetGateway",
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:CreateInternetGateway",
|
|
"ec2:CreateNatGateway",
|
|
"ec2:CreateRoute",
|
|
"ec2:CreateRouteTable",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateSubnet",
|
|
"ec2:CreateTags",
|
|
"ec2:DeleteInternetGateway",
|
|
"ec2:DeleteNatGateway",
|
|
"ec2:DeleteRouteTable",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:DeleteSubnet",
|
|
"ec2:DeleteTags",
|
|
"ec2:DescribeAccountAttributes",
|
|
"ec2:DescribeAddresses",
|
|
"ec2:DescribeAvailabilityZones",
|
|
"ec2:DescribeImages",
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeInternetGateways",
|
|
"ec2:DescribeNatGateways",
|
|
"ec2:DescribeNetworkInterfaces",
|
|
"ec2:DescribeNetworkInterfaceAttribute",
|
|
"ec2:DescribeRouteTables",
|
|
"ec2:DescribeSecurityGroups",
|
|
"ec2:DescribeSubnets",
|
|
"ec2:DescribeVpcs",
|
|
"ec2:DescribeVpcAttribute",
|
|
"ec2:DescribeVolumes",
|
|
"ec2:DetachInternetGateway",
|
|
"ec2:DisassociateRouteTable",
|
|
"ec2:DisassociateAddress",
|
|
"ec2:ModifyInstanceAttribute",
|
|
"ec2:ModifyNetworkInterfaceAttribute",
|
|
"ec2:ModifySubnetAttribute",
|
|
"ec2:ReleaseAddress",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"ec2:RunInstances",
|
|
"ec2:TerminateInstances",
|
|
"tag:GetResources",
|
|
"ec2:CreateLaunchTemplate",
|
|
"ec2:CreateLaunchTemplateVersion",
|
|
"ec2:DescribeLaunchTemplates",
|
|
"ec2:DescribeLaunchTemplateVersions",
|
|
"ec2:DeleteLaunchTemplate",
|
|
"ec2:DeleteLaunchTemplateVersions"
|
|
],
|
|
"Resource": [
|
|
"\*"
|
|
],
|
|
"Effect": "Allow"
|
|
},
|
|
{
|
|
"Condition": {
|
|
"StringLike": {
|
|
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
|
|
}
|
|
},
|
|
"Action": [
|
|
"iam:CreateServiceLinkedRole"
|
|
],
|
|
"Resource": [
|
|
"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
|
|
],
|
|
"Effect": "Allow"
|
|
},
|
|
{
|
|
"Action": [
|
|
"iam:PassRole"
|
|
],
|
|
"Resource": [
|
|
"arn:*:iam::*:role/*-worker-role"
|
|
],
|
|
"Effect": "Allow"
|
|
}
|
|
]
|
|
}
|
|
----
|
|
* `controlPlaneOperatorARN`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:CreateVpcEndpoint",
|
|
"ec2:DescribeVpcEndpoints",
|
|
"ec2:ModifyVpcEndpoint",
|
|
"ec2:DeleteVpcEndpoints",
|
|
"ec2:CreateTags",
|
|
"route53:ListHostedZones"
|
|
],
|
|
"Resource": "\*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"route53:ChangeResourceRecordSets",
|
|
"route53:ListResourceRecordSets"
|
|
],
|
|
"Resource": "arn:aws:route53:::%s"
|
|
}
|
|
]
|
|
}
|
|
----
|