Skip to content

[enterprise-3.9] Bug#1452816 - fixes - Added required roles and permissions for all cloudproviders #7977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 1, 2018
Merged

[enterprise-3.9] Bug#1452816 - fixes - Added required roles and permissions for all cloudproviders #7977

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 50 additions & 2 deletions install_config/configuring_aws.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,54 @@ volumes as persistent storage] for application data. After AWS is configured
properly, some additional configurations will need to be completed on the
{product-title} hosts.

[[configuring-aws-permissions]]
== Permissions
Configuring AWS for {product-title} requires the following permissions:

.Master Permissions
[cols='1,2']
|===

| Elastic Compute Cloud(EC2)
|`ec2:DescribeVolume`, `ec2:CreateVolume`, `ec2:CreateTags`,
`ec2:DescribeInstance`, `ec2:AttachVolume`, `ec2:DetachVolume`,
`ec2:DeleteVolume`, `ec2:DescribeSubnets`, `ec2:CreateSecurityGroup`,
`ec2:DescribeSecurityGroups`, `ec2:DescribeRouteTables`,
`ec2:AuthorizeSecurityGroupIngress`

| Elastic Load Balancing
| `elasticloadbalancing:DescribeTags`,
`elasticloadbalancing:CreateLoadBalancerListeners`,
`elasticloadbalancing:ConfigureHealthCheck`,
`elasticloadbalancing:DeleteLoadBalancerListeners`,
`elasticloadbalancing:RegisterInstancesWithLoadBalancer`,
`elasticloadbalancing:DescribeLoadBalancers`,
`elasticloadbalancing:CreateLoadBalancer`,
`elasticloadbalancing:DeleteLoadBalancer`,
`elasticloadbalancing:ModifyLoadBalancerAttributes`,
`elasticloadbalancing:DescribeLoadBalancerAttributes`

|===

.Node Permissions
[cols='1,2']
|===

| Elastic Compute Cloud(EC2)
| `ec2:DescribeInstance*`

|===

[IMPORTANT]
====
* Every master, node, and subnet must have the `KubernetesCluster: value` tag.
* One security group, preferably the one linked to the nodes, must have the
`KubernetesCluster: value` tag.
** Do not tag all security groups with the `KubernetesCluster: value` tag or the
Elastic Load Balancing (ELB) will not be able to create a load balancer.

====

[[configuring-aws-variables]]
== Configuring AWS Variables

Expand Down Expand Up @@ -152,12 +200,12 @@ container. Therefore, *_aws.conf_* should be in *_/etc/origin/_* instead of

Make sure the following environment variables are set in the
ifdef::openshift-enterprise[]
*_/etc/sysconfig/atomic-openshift-master-api_* file and
*_/etc/sysconfig/atomic-openshift-master-api_* file and
*_/etc/sysconfig/atomic-openshift-master-containers_* file on masters and the
*_/etc/sysconfig/atomic-openshift-node_* file on nodes:
endif::[]
ifdef::openshift-origin[]
*_/etc/sysconfig/origin-master-api_* file and
*_/etc/sysconfig/origin-master-api_* file and
*_/etc/sysconfig/origin-master-containers_* file on masters and the
*_/etc/sysconfig/origin-node_* file on nodes:
endif::[]
Expand Down
12 changes: 12 additions & 0 deletions install_config/configuring_azure.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,18 @@ Azure disk as persistent storage] for application data. After Azure is
configured properly, some additional configurations need to be completed on the
{product-title} hosts.

[[configuring-azure-permissions]]
== Permissions
Configuring Azure for {product-title} requires the following role:

[cols='1,3']
|===

| Contributor
| To create and manage all types of Azure resources.

|===

[[azure-configuration-file]]
== The Azure Configuration File

Expand Down
13 changes: 13 additions & 0 deletions install_config/configuring_gce.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,19 @@ volumes as persistent storage] for application data. After GCE is configured
properly, some additional configurations will need to be completed on the
{product-title} hosts.

[[configuring-gcp-permissions]]
== Permissions
Configuring Google Cloud Platform (GCP) for {product-title} requires the following role:

[cols='1,3']
|===

| roles/owner
| To create service accounts, cloud storage, instances, images, templates, Cloud
DNS entries, and deploy load balancers and health checks. It is helpful to also
have `delete` permissions to be able to redeploy the environment while testing.

|===

[[gce-configuring-masters]]
== Configuring Masters
Expand Down
13 changes: 13 additions & 0 deletions install_config/configuring_openstack.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,19 @@ When deployed on link:https://www.openstack.org/[OpenStack], {product-title} can
be configured to access OpenStack infrastructure, including
xref:../install_config/persistent_storage/persistent_storage_cinder.adoc#install-config-persistent-storage-persistent-storage-cinder[using OpenStack Cinder volumes as persistent storage] for application data.

[[configuring-openstack-permissions]]
== Permissions
Configuring OpenStack for {product-title} requires the following role:

[cols='1,3']
|===

| member
| For creating assets(instances, networking ports, floating ips, volumes, and so
on.) you need the member role for the tenant.

|===

[[configuring-openstack-variables]]
== Configuring OpenStack Variables
To set the required OpenStack variables, create a *_/etc/cloud.conf_* file with
Expand Down