Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCI provider - implement Workload Identity auth - cherry pick for release 1.27 #5720

Merged
merged 2 commits into from
May 2, 2023
Merged

OCI provider - implement Workload Identity auth - cherry pick for release 1.27 #5720

merged 2 commits into from
May 2, 2023

Conversation

streamnsight
Copy link
Contributor

What type of PR is this?

/kind feature

What this PR does / why we need it:

Implements Workload Identity auth method for the OCI cloud provider.
Workload Identity offers a more granular way to give permissions to access OCI resources.

Special notes for your reviewer:

The majority of file changes comes from the OCI SDK upgrade required for this update, the implementation is otherwise a minor change.

Does this PR introduce a user-facing change?

Added OCI Cloud Provider Workload Identity support
Workload Identity provides a more granular way to secure workloads that require access to OCI resources

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Workload Identity is set by the use of the environment variable `OCI_USE_WORKLOAD_IDENTITY=true`
as well as the `OCI_RESOURCE_PRINCIPAL_VERSION` (1.1 or 2.2) and `OCI_RESOURCE_PRINCIPAL_REGION` since Workload Identity is backed by the Resource Principal auth mechanism.
`OCI_USE_WORKLOAD_IDENTITY=true` takes precedence over `OCI_USE_INSTANCE_PRINCIPAL=true` if set.

Furthermore, a policy needs to be defined to allow the workload to use OCI resources as follow:

Allow any-user to manage cluster-node-pools in compartment <compartment name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'cluster-autoscaler', request.principal.cluster_id = 'ocid1.cluster.oc1....'}
Allow any-user to manage instance-family in compartment <compartment name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'cluster-autoscaler', request.principal.cluster_id = 'ocid1.cluster.oc1....'}
Allow any-user to use subnets in compartment <compartment name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'cluster-autoscaler', request.principal.cluster_id = 'ocid1.cluster.oc1....'}
Allow any-user to read virtual-network-family in compartment <compartment name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'cluster-autoscaler', request.principal.cluster_id = 'ocid1.cluster.oc1....'}
Allow any-user to use vnics in compartment <compartment name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'cluster-autoscaler', request.principal.cluster_id = 'ocid1.cluster.oc1....'}
Allow any-user to inspect compartments in compartment <compartment name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'cluster-autoscaler', request.principal.cluster_id = 'ocid1.cluster.oc1....'}

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. area/cluster-autoscaler labels May 1, 2023
@streamnsight
Copy link
Contributor Author

@jlamillan Could you review / approve?

jlamillan
jlamillan approved these changes May 2, 2023
View reviewed changes
Copy link
Contributor

@jlamillan jlamillan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 2, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jlamillan, streamnsight

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 2, 2023
@k8s-ci-robot k8s-ci-robot merged commit 62d9c94 into kubernetes:cluster-autoscaler-release-1.27 May 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlamillan jlamillan jlamillan approved these changes

@BigDarkClown BigDarkClown Awaiting requested review from BigDarkClown

Assignees

@jlamillan jlamillan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cluster-autoscaler cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@streamnsight @k8s-ci-robot @jlamillan