From 81c785ec3545bc35ce4bea77f72022c1e1615603 Mon Sep 17 00:00:00 2001 From: Tony Schneider Date: Tue, 5 Nov 2024 14:31:43 -0600 Subject: [PATCH] add operator roles for platform workload identity --- .github/workflows/aro-hcp-cd.yml | 3 + dev-infrastructure/Makefile | 23 ++- .../dev-operator-roles.bicepparam | 138 ++++++++++++++++++ .../templates/dev-operator-roles.bicep | 28 ++++ 4 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 dev-infrastructure/configurations/dev-operator-roles.bicepparam create mode 100644 dev-infrastructure/templates/dev-operator-roles.bicep diff --git a/.github/workflows/aro-hcp-cd.yml b/.github/workflows/aro-hcp-cd.yml index 21eaf0a2c..38b20c635 100644 --- a/.github/workflows/aro-hcp-cd.yml +++ b/.github/workflows/aro-hcp-cd.yml @@ -81,6 +81,9 @@ # Manage ACR make acr-svc acr-ocp + # Setup operator roles for platform workload identity + make operator-roles + deploy_image_sync_rg: name: 'Deploy Image Sync' if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index 29a5adda5..4348e92ce 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -459,11 +459,32 @@ secrets-yes-i-want-to-update-the-shared-secrets: rm secrets.tar.gz .PHONY: secrets-yes-i-want-to-update-the-shared-secrets +# +# Operator roles for platform workload identity +# + +operator-roles: + az deployment sub create \ + --location westus3 \ + --name operator-roles \ + --template-file templates/dev-operator-roles.bicep \ + $(PROMPT_TO_CONFIRM) \ + --parameters configurations/dev-operator-roles.bicepparam +.PHONY: operator-roles + +operator-roles.what-if: + az deployment sub what-if \ + --location westus3 \ + --name operator-roles \ + --template-file templates/dev-operator-roles.bicep \ + --parameters configurations/dev-operator-roles.bicepparam +.PHONY: operator-roles.what-if + # # Common # -what-if: acr-svc.what-if acr-ocp.what-if region.what-if svc.what-if mgmt.what-if metrics-infra.what-if imagesync.what-if +what-if: acr-svc.what-if acr-ocp.what-if region.what-if svc.what-if mgmt.what-if metrics-infra.what-if imagesync.what-if operator-roles.what-if .PHONY: what-if infra: region svc.init mgmt.init diff --git a/dev-infrastructure/configurations/dev-operator-roles.bicepparam b/dev-infrastructure/configurations/dev-operator-roles.bicepparam new file mode 100644 index 000000000..ba7efa2b4 --- /dev/null +++ b/dev-infrastructure/configurations/dev-operator-roles.bicepparam @@ -0,0 +1,138 @@ +using '../templates/dev-operator-roles.bicep' + +param roles = [ + { + roleName: 'Azure Red Hat OpenShift Cloud Controller Manager - Dev' + roleDescription: 'Enables permissions for the operator to manage and update the cloud controller managers deployed on top of OpenShift.' + actions: [ + 'Microsoft.Compute/virtualMachines/read' + 'Microsoft.Network/loadBalancers/read' + 'Microsoft.Network/loadBalancers/write' + 'Microsoft.Network/networkInterfaces/read' + 'Microsoft.Network/networkSecurityGroups/read' + 'Microsoft.Network/networkSecurityGroups/write' + 'Microsoft.Network/publicIPAddresses/join/action' + 'Microsoft.Network/publicIPAddresses/read' + 'Microsoft.Network/publicIPAddresses/write' + 'Microsoft.Network/virtualNetworks/subnets/join/action' + 'Microsoft.Network/virtualNetworks/subnets/read' + 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' + 'Microsoft.Network/networkInterfaces/write' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + { + roleName: 'Azure Red Hat OpenShift Cluster Ingress Operator - Dev' + roleDescription: 'Enables permissions for the operator to configure and manage the OpenShift router.' + actions: [ + 'Microsoft.Network/dnsZones/A/delete' + 'Microsoft.Network/dnsZones/A/write' + 'Microsoft.Network/privateDnsZones/A/delete' + 'Microsoft.Network/privateDnsZones/A/write' + 'Microsoft.Network/virtualNetworks/subnets/read' + 'Microsoft.Network/virtualNetworks/subnets/join/action' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + { + roleName: 'Azure Red Hat OpenShift Disk Storage Operator - Dev' + roleDescription: 'Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use various storage backends.' + actions: [ + 'Microsoft.Compute/virtualMachines/write' + 'Microsoft.Compute/virtualMachines/read' + 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write' + 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read' + 'Microsoft.Compute/virtualMachineScaleSets/read' + 'Microsoft.Compute/snapshots/write' + 'Microsoft.Compute/snapshots/read' + 'Microsoft.Compute/snapshots/delete' + 'Microsoft.Compute/locations/operations/read' + 'Microsoft.Compute/locations/DiskOperations/read' + 'Microsoft.Compute/disks/write' + 'Microsoft.Compute/disks/read' + 'Microsoft.Compute/disks/delete' + 'Microsoft.Resources/subscriptions/resourceGroups/read' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + { + roleName: 'Azure Red Hat OpenShift File Storage Operator - Dev' + roleDescription: 'Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use Azure Files.' + actions: [ + 'Microsoft.Storage/storageAccounts/delete' + 'Microsoft.Storage/storageAccounts/fileServices/read' + 'Microsoft.Storage/storageAccounts/fileServices/shares/delete' + 'Microsoft.Storage/storageAccounts/fileServices/shares/read' + 'Microsoft.Storage/storageAccounts/fileServices/shares/write' + 'Microsoft.Storage/storageAccounts/listKeys/action' + 'Microsoft.Storage/storageAccounts/read' + 'Microsoft.Storage/storageAccounts/write' + 'Microsoft.Network/networkSecurityGroups/join/action' + 'Microsoft.Network/virtualNetworks/subnets/read' + 'Microsoft.Network/virtualNetworks/subnets/write' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + { + roleName: 'Azure Red Hat OpenShift Network Operator - Dev' + roleDescription: 'Enables permissions to install and upgrade the networking components on an OpenShift cluster.' + actions: [ + 'Microsoft.Network/networkInterfaces/read' + 'Microsoft.Network/networkInterfaces/write' + 'Microsoft.Network/virtualNetworks/read' + 'Microsoft.Network/virtualNetworks/subnets/join/action' + 'Microsoft.Network/loadBalancers/backendAddressPools/join/action' + 'Microsoft.Compute/virtualMachines/read' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + { + roleName: 'Azure Red Hat OpenShift Image Registry Operator - Dev' + roleDescription: 'Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry including creating storage.' + actions: [ + 'Microsoft.Storage/storageAccounts/blobServices/read' + 'Microsoft.Storage/storageAccounts/blobServices/containers/read' + 'Microsoft.Storage/storageAccounts/blobServices/containers/write' + 'Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action' + 'Microsoft.Storage/storageAccounts/read' + 'Microsoft.Storage/storageAccounts/write' + 'Microsoft.Storage/storageAccounts/delete' + 'Microsoft.Storage/storageAccounts/listKeys/action' + 'Microsoft.Resources/tags/write' + 'Microsoft.Network/privateEndpoints/write' + 'Microsoft.Network/privateEndpoints/read' + 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write' + 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read' + 'Microsoft.Network/privateDnsZones/read' + 'Microsoft.Network/privateDnsZones/write' + 'Microsoft.Network/privateDnsZones/join/action' + 'Microsoft.Network/privateDnsZones/A/write' + 'Microsoft.Network/privateDnsZones/virtualNetworkLinks/write' + 'Microsoft.Network/privateDnsZones/virtualNetworkLinks/read' + 'Microsoft.Network/networkInterfaces/read' + 'Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action' + 'Microsoft.Network/virtualNetworks/subnets/read' + 'Microsoft.Network/virtualNetworks/subnets/join/action' + 'Microsoft.Network/virtualNetworks/join/action' + ] + notActions: [] + dataActions: [ + 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete' + 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write' + 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' + 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action' + 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action' + ] + notDataActions: [] + } +] diff --git a/dev-infrastructure/templates/dev-operator-roles.bicep b/dev-infrastructure/templates/dev-operator-roles.bicep new file mode 100644 index 000000000..870006737 --- /dev/null +++ b/dev-infrastructure/templates/dev-operator-roles.bicep @@ -0,0 +1,28 @@ +// CustomRoles for Platform Workload Identities for development environment + +targetScope = 'subscription' + +@description('Array of roles for platform workload identity') +param roles array = [] + +resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = [ + for role in roles: { + name: guid(role.roleName) + properties: { + roleName: role.roleName + description: role.roleDescription + type: 'CustomRole' + permissions: [ + { + actions: role.actions + notActions: role.notActions + dataActions: role.dataActions + notDataActions: role.notDataActions + } + ] + assignableScopes: [ + subscription().id + ] + } + } +]