Version: 4.9 Platform: azure Please specify: * IPI What happened? Issue: Customer reports unable to install IPI PRIVATE OpenShift cluster in Azure. They have orgnization policy which do not allow them to create storage account with public access. It should be disallowed. What did you expect to happen? Installer completes successfully.
Please provide more details about the errors that the customer is seeing.
(In reply to Matthew Staebler from comment #1) > Please provide more details about the errors that the customer is seeing. ERROR MESSAGE= Message: Progressing: Unable to apply resources: unable to sync storage configuration: failed to start creating storage account: storage.AccountsClient#Create: Failure sending request: StatusCode=0 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'imageregistryazcnor5mfd5' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Deny blob unsecure transfer\",\"id\":\"/providers/Microsoft.Management/managementGroups/Swedbank/providers/Microsoft.Authorization/policyAssignments/prd-deny-blob-unsec-tran\"},\"policyDefinition\":{\"name\":\"Deny blob unsecure transfer\",\"id\":\"/providers/Microsoft.Management/managementGroups/Swedbank/providers/Microsoft.Authorization/policyDefinitions/az-cfcore-prd-deny-blob-unsecure-transfer\"}}]'." Target="imageregistryazcnor5mfd5" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Storage/storageAccounts","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Storage/storageAccounts"},{"expression":"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","expressionKind":"Field","operator":"Exists","path":"properties.supportsHttpsTrafficOnly","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Deny blob unsecure transfer","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/Swedbank/providers/Microsoft.Authorization/policyAssignments/prd-deny-blob-unsec-tran","policyAssignmentName":"prd-deny-blob-unsec-tran","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/Swedbank","policyDefinitionDisplayName":"Deny blob unsecure transfer","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/Swedbank/providers/Microsoft.Authorization/policyDefinitions/az-cfcore-prd-deny-blob-unsecure-transfer","policyDefinitionName":"az-cfcore-prd-deny-blob-unsecure-transfer"},"type":"PolicyViolation"}]
That error is from the image registry. I am re-assigning the BZ there.
The policy forbids `supportsHttpsTrafficOnly` to be false.
Hello, I can see the target release is 4.11, is there any possibility of backport in 4.9 version?
The policy expects supportsHttpsTrafficOnly to be present, but as it is `true` by default, this policy is questionable. The image registry operator doesn't send this property explicitly and relies on the default value. If that's the only policy, it'll allow requests that explicitly set supportsHttpsTrafficOnly to `false`. Given that setting supportsHttpsTrafficOnly explicitly to `true` won't change behavior, I doubt we need to change anything in OpenShift and would recommend to correct the policy.
(In reply to Oleg Bulatov from comment #8) > The policy expects supportsHttpsTrafficOnly to be present, but as it is > `true` by default, this policy is questionable. The image registry operator > doesn't send this property explicitly and relies on the default value. If > that's the only policy, it'll allow requests that explicitly set > supportsHttpsTrafficOnly to `false`. > > Given that setting supportsHttpsTrafficOnly explicitly to `true` won't > change behavior, I doubt we need to change anything in OpenShift and would > recommend to correct the policy. Let me check with the customer and will get back to you soon.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069
Hello @obulatov, IHAC is facing an issue with cluster installation ocp 4.8 on azure using IPI due to the organization policy which "Deny Public Network Access" prevents Storage account creation I can see the target release is 4.11, is there any possibility of backporting in the 4.8 version?
Santhiya, this BZ is not about Deny Public Network Access, it is about explicitly setting enableHttpsTrafficOnly to true (which is its default value, so the fix doesn't change any storage parameters).
Hello, Is there any possibilities of backport to 4.10? Regards, Pawan