This is a clone of https://issues.redhat.com/browse/CORS-1653. 1. Proposed title of this feature request Permit using existing IAM roles for bootstrap, worker and control plane nodes in installer. Implementation should support AWS, Azure, and GCP. 2. What is the nature and description of the request? Enhance the installer to allow the customer to pre-create the IAM roles used by the bootstrap, worker and control plane nodes and supply those roles to the installer in IPI mode. 3. Why does the customer need this? (List the business requirements here) It is currently impossible to perform an IPI mode installation of OCP in the public cloud with additional restrictions. For instance, some customers require that all roles match a specific naming scheme and/or include a predefined permissions boundary in the role creation process. 4. List any affected packages or components. Installer
[QA Summary] [Version] ~~~ $ ./openshift-install version ./openshift-install 4.7.0-0.nightly-2021-05-01-081439 built from commit 3d157f47000c2a9963527ad1dc8c69b77053a4a6 release image registry.ci.openshift.org/ocp/release@sha256:eddc92aceef5e655e74015248e7d5f4b76fafe18bfc61f9e86648a77b1ca922d $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2021-05-01-081439 True False 34m Cluster version is 4.7.0-0.nightly-2021-05-01-081439 ~~~ [Parameters] ~~~ apiVersion: v1 baseDomain: qe.devcluster.openshift.com compute: - hyperthreading: Enabled name: worker platform: aws: type: m5.large iamRole: testcluster-982-8z8kf-worker-role replicas: 2 controlPlane: hyperthreading: Enabled name: master platform: aws: type: m5.xlarge iamRole: testcluster-982-8z8kf-master-role replicas: 3 metadata: creationTimestamp: null name: pamoedo-bz1945907 networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineCIDR: 10.0.0.0/16 networkType: OpenShiftSDN serviceNetwork: - 172.30.0.0/16 platform: aws: region: eu-west-3 publish: External ~~~ [Results] To expedite the testing, and avoid issues with the policies, I've taken some pre-existing iam roles from a previous OCP installation and reuse them for the custom "iamRole" selection for the new cluster, the installation was successful, the new instances are associated with the pre-existing roles as expected and the installer hasn't created new ones: ~~~ $ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-master-profile INSTANCEPROFILE arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-master-profile 2021-05-04T09:34:15Z AIPAUMQAHCJOHGXZ2GD3U pamoedo-bz1945907-5ldhb-master-profile/ ROLES arn:aws:iam::301721915996:role/testcluster-982-8z8kf-master-role 2021-05-03T08:41:20Z / AROAUMQAHCJOAWK6FRKFX testcluster-982-8z8kf-master-role ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRole Allow PRINCIPAL ec2.amazonaws.com $ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-worker-profile INSTANCEPROFILE arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-worker-profile 2021-05-04T09:34:15Z AIPAUMQAHCJONYRDZOZQD pamoedo-bz1945907-5ldhb-worker-profile/ ROLES arn:aws:iam::301721915996:role/testcluster-982-8z8kf-worker-role 2021-05-03T08:41:20Z / AROAUMQAHCJOGNLD23FTU testcluster-982-8z8kf-worker-role ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRole Allow PRINCIPAL ec2.amazonaws.com $ aws iam list-roles | grep pamoedo (void) ~~~ Best Regards.
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1550