1958376 – [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies

Bug 1958376 - [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies

Summary: [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	4.9.0
Assignee:	Oleg Bulatov
QA Contact:	XiuJuan Wang
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2016615 (view as bug list)
Depends On:	1943175
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-07 18:43 UTC by Etienne Simard
Modified:	2022-10-12 03:53 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-18 17:31:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-image-registry-operator pull 705	0	None	open	Bug 1958376: Disallow blob public access for Azure storage account and require TLS1.2+	2021-08-10 14:28:05 UTC
Red Hat Bugzilla	1943175	1	medium	CLOSED	unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies (set azure storage account TLS ver...	2021-10-25 13:11:47 UTC
Red Hat Product Errata	RHSA-2021:3759	0	None	None	None	2021-10-18 17:31:28 UTC

Description Etienne Simard 2021-05-07 18:43:27 UTC

Description of problem:

(copy of https://bugzilla.redhat.com/show_bug.cgi?id=1943175)

Version:
4.7.2, also 4.6.something

Platform:
azure

Please specify:
* IPI

What happened?
Customer reports unable to install IPI PRIVATE OpenShift cluster in Azure. This previously worked, but when certain policies were applied to the customer's Azure account, it stopped working.

The installer breaks on:

Error creating Azure Storage Account "clusterpjacy": 
    - {"name":"[Preview]: Storage account public access should be disallowed"
    - "policyDefinition":{"name":"Azure Storage should have the minimal TLS version of 1.2...

What did you expect to happen?
Installer completes successfully.



Actual results:

Security policies prohibits the storage account created by the image registry.


Currently, the image registry creates a Storage Account without setting these newer AccountProperties:

- AllowBlobPublicAccess
- MinimumTLSVersion 


Expected results:

No policy triggered and successful installation and operation of OpenShift when deploying on Azure.


Additional info:

Azure provides new storage account properties that are required to be set in order to pass customers policies in Azure:

- AllowBlobPublicAccess set to false
- MinimumTLSVersion 'TLS12'

The work has been done for the Installer managed storage account in the linked Bugzilla.

Comment 1 pawankum 2021-07-01 08:49:14 UTC

Hello Etienne,

Do we have any further update on this if AllowBlobPublicAccess can be set to false?



Regards
Pawan Kumar

Comment 2 pawankum 2021-07-01 09:06:17 UTC

Hello Etienne,

Do we have any further update on this if AllowBlobPublicAccess can be set to false?



Regards
Pawan Kumar

Comment 3 Oleg Bulatov 2021-07-02 16:40:17 UTC

No progress on this BZ this sprint due to higher severity bugs.

Comment 4 Oleg Bulatov 2021-07-24 20:36:43 UTC

PRs are awaiting review.

Comment 5 XiuJuan Wang 2021-07-30 10:23:26 UTC

Launch cluster from pr.
After installation successfully, check the storage account created by image registry in azure webconsole. It has set disallow blob public access and MinimumTLSVersion to 1.2.

imageregistrywxjaz7flkqs
Blob public access. Disabled
Minimum TLS version Version 1.2

Comment 7 XiuJuan Wang 2021-08-04 07:25:28 UTC

In comment #5, I had verified this bug.

Comment 11 errata-xmlrpc 2021-10-18 17:31:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Comment 12 Oleg Bulatov 2021-10-26 20:46:57 UTC

*** Bug 2016615 has been marked as a duplicate of this bug. ***

Comment 13 pawankum 2022-02-17 14:27:38 UTC

Hello All,

I can see this bug has been closed with errata on 4.9 version. But I still got same issue in 4.9 version. Can you please update?

I attached the new case on this.



Regards,
Pawan Kumar

Note You need to log in before you can comment on or make changes to this bug.