Bug 1958376 - [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies
Summary: [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.9.0
Assignee: Oleg Bulatov
QA Contact: XiuJuan Wang
URL:
Whiteboard:
: 2016615 (view as bug list)
Depends On: 1943175
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-07 18:43 UTC by Etienne Simard
Modified: 2022-10-12 03:53 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:31:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 705 0 None open Bug 1958376: Disallow blob public access for Azure storage account and require TLS1.2+ 2021-08-10 14:28:05 UTC
Red Hat Bugzilla 1943175 1 medium CLOSED unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies (set azure storage account TLS ver... 2021-10-25 13:11:47 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:31:28 UTC

Description Etienne Simard 2021-05-07 18:43:27 UTC
Description of problem:

(copy of https://bugzilla.redhat.com/show_bug.cgi?id=1943175)

Version:
4.7.2, also 4.6.something

Platform:
azure

Please specify:
* IPI

What happened?
Customer reports unable to install IPI PRIVATE OpenShift cluster in Azure. This previously worked, but when certain policies were applied to the customer's Azure account, it stopped working.

The installer breaks on:

Error creating Azure Storage Account "clusterpjacy": 
    - {"name":"[Preview]: Storage account public access should be disallowed"
    - "policyDefinition":{"name":"Azure Storage should have the minimal TLS version of 1.2...

What did you expect to happen?
Installer completes successfully.



Actual results:

Security policies prohibits the storage account created by the image registry.


Currently, the image registry creates a Storage Account without setting these newer AccountProperties:

- AllowBlobPublicAccess
- MinimumTLSVersion 


Expected results:

No policy triggered and successful installation and operation of OpenShift when deploying on Azure.


Additional info:

Azure provides new storage account properties that are required to be set in order to pass customers policies in Azure:

- AllowBlobPublicAccess set to false
- MinimumTLSVersion 'TLS12'

The work has been done for the Installer managed storage account in the linked Bugzilla.

Comment 1 pawankum 2021-07-01 08:49:14 UTC
Hello Etienne,

Do we have any further update on this if AllowBlobPublicAccess can be set to false?



Regards
Pawan Kumar

Comment 2 pawankum 2021-07-01 09:06:17 UTC
Hello Etienne,

Do we have any further update on this if AllowBlobPublicAccess can be set to false?



Regards
Pawan Kumar

Comment 3 Oleg Bulatov 2021-07-02 16:40:17 UTC
No progress on this BZ this sprint due to higher severity bugs.

Comment 4 Oleg Bulatov 2021-07-24 20:36:43 UTC
PRs are awaiting review.

Comment 5 XiuJuan Wang 2021-07-30 10:23:26 UTC
Launch cluster from pr.
After installation successfully, check the storage account created by image registry in azure webconsole. It has set disallow blob public access and MinimumTLSVersion to 1.2.

imageregistrywxjaz7flkqs
Blob public access. Disabled
Minimum TLS version Version 1.2

Comment 7 XiuJuan Wang 2021-08-04 07:25:28 UTC
In comment #5, I had verified this bug.

Comment 11 errata-xmlrpc 2021-10-18 17:31:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Comment 12 Oleg Bulatov 2021-10-26 20:46:57 UTC
*** Bug 2016615 has been marked as a duplicate of this bug. ***

Comment 13 pawankum 2022-02-17 14:27:38 UTC
Hello All,

I can see this bug has been closed with errata on 4.9 version. But I still got same issue in 4.9 version. Can you please update?

I attached the new case on this.



Regards,
Pawan Kumar


Note You need to log in before you can comment on or make changes to this bug.