This is a clone of https://issues.redhat.com/browse/CORS-1653.
1. Proposed title of this feature request
Permit using existing IAM roles for bootstrap, worker and control plane nodes in installer. Implementation should support AWS, Azure, and GCP.
2. What is the nature and description of the request?
Enhance the installer to allow the customer to pre-create the IAM roles used by the bootstrap, worker and control plane nodes and supply those roles to the installer in IPI mode.
3. Why does the customer need this? (List the business requirements here)
It is currently impossible to perform an IPI mode installation of OCP in the public cloud with additional restrictions. For instance, some customers require that all roles match a specific naming scheme and/or include a predefined permissions boundary in the role creation process.
4. List any affected packages or components.
$ ./openshift-install version
built from commit 3d157f47000c2a9963527ad1dc8c69b77053a4a6
release image registry.ci.openshift.org/ocp/release@sha256:eddc92aceef5e655e74015248e7d5f4b76fafe18bfc61f9e86648a77b1ca922d
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.7.0-0.nightly-2021-05-01-081439 True False 34m Cluster version is 4.7.0-0.nightly-2021-05-01-081439
- hyperthreading: Enabled
- cidr: 10.128.0.0/14
To expedite the testing, and avoid issues with the policies, I've taken some pre-existing iam roles from a previous OCP installation and reuse them for the custom "iamRole" selection for the new cluster, the installation was successful, the new instances are associated with the pre-existing roles as expected and the installer hasn't created new ones:
$ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-master-profile
INSTANCEPROFILE arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-master-profile 2021-05-04T09:34:15Z AIPAUMQAHCJOHGXZ2GD3U pamoedo-bz1945907-5ldhb-master-profile/
ROLES arn:aws:iam::301721915996:role/testcluster-982-8z8kf-master-role 2021-05-03T08:41:20Z / AROAUMQAHCJOAWK6FRKFX testcluster-982-8z8kf-master-role
STATEMENT sts:AssumeRole Allow
$ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-worker-profile
INSTANCEPROFILE arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-worker-profile 2021-05-04T09:34:15Z AIPAUMQAHCJONYRDZOZQD pamoedo-bz1945907-5ldhb-worker-profile/
ROLES arn:aws:iam::301721915996:role/testcluster-982-8z8kf-worker-role 2021-05-03T08:41:20Z / AROAUMQAHCJOGNLD23FTU testcluster-982-8z8kf-worker-role
STATEMENT sts:AssumeRole Allow
$ aws iam list-roles | grep pamoedo
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.