You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc
+23-12Lines changed: 23 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,57 +24,68 @@ By setting different values for the `credentialsMode` parameter in the `install-
24
24
* **xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds[Manual mode with short-term credentials for components]**: For some providers, you can use the CCO utility (`ccoctl`) during installation to implement short-term credentials for individual components. These credentials are created and managed outside the {product-title} cluster.
25
25
26
26
.CCO mode support matrix
27
-
[cols="<.^2,^.^1,^.^1,^.^1"]
27
+
[cols="<.^2,^.^1,^.^1,^.^1,^.^1"]
28
28
|====
29
-
|Cloud provider |Mint |Passthrough |Manual
29
+
|Cloud provider |Mint |Passthrough |Manual with long-term credentials |Manual with short-term credentials
30
30
31
31
|{alibaba}
32
32
|
33
33
|
34
-
|X
34
+
|X ^[1]^
35
+
|
35
36
36
37
|Amazon Web Services (AWS)
37
38
|X
38
39
|X
39
-
|X ^[1]^
40
+
|X
41
+
|X
40
42
43
+
|Global Microsoft Azure
44
+
|
45
+
|X
46
+
|X
47
+
|X
41
48
42
-
|Microsoft Azure
49
+
|Microsoft Azure Stack Hub
50
+
|
43
51
|
44
-
|X ^[2]^
45
52
|X
53
+
|
46
54
47
55
|Google Cloud Platform (GCP)
48
56
|X
49
57
|X
50
-
|X ^[3]^
58
+
|X
59
+
|X
51
60
52
61
|IBM Cloud
53
62
|
54
63
|
55
-
|X
64
+
|X ^[1]^
65
+
|
56
66
57
67
|Nutanix
58
68
|
59
69
|
60
-
|X
70
+
|X ^[1]^
71
+
|
61
72
62
73
|{rh-openstack-first}
63
74
|
64
75
|X
65
76
|
77
+
|
66
78
67
79
|VMware vSphere
68
80
|
69
81
|X
70
82
|
83
+
|
71
84
72
85
|====
73
86
[.small]
74
87
--
75
-
1. Short-term credentials with AWS Security Token Service can be configured during installation.
76
-
2. Manual mode with long-term credentials is the only supported CCO configuration for Microsoft Azure Stack Hub.
77
-
3. Short-term credentials with GCP Workload Identity can be configured during installation.
88
+
1. This platform uses the `ccoctl` utility during installation to configure long-term credentials.
Manual mode is supported for Alibaba Cloud, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), IBM Cloud, and Nutanix.
9
+
Manual mode is supported for Alibaba Cloud, Amazon Web Services (AWS), global Microsoft Azure, Microsoft Azure Stack Hub, Google Cloud Platform (GCP), IBM Cloud, and Nutanix.
10
10
11
11
[id="manual-mode-classic_{context}"]
12
12
== User-managed credentials
13
13
14
-
In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). To use this mode, you must examine the `CredentialsRequest` CRs in the release image for the version of {product-title} that you are running or installing, create corresponding credentials in the underlying cloud provider, and create Kubernetes Secrets in the correct namespaces to satisfy all `CredentialsRequest` CRs for the cluster's cloud provider.
14
+
In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). To use this mode, you must examine the `CredentialsRequest` CRs in the release image for the version of {product-title} that you are running or installing, create corresponding credentials in the underlying cloud provider, and create Kubernetes Secrets in the correct namespaces to satisfy all `CredentialsRequest` CRs for the cluster's cloud provider. Some platforms use the CCO utility (`ccoctl`) to facilitate this process during installation and updates.
15
15
16
-
Using manual mode with long-term credentials allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. This mode also does not require connectivity to the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade.
16
+
Using manual mode with long-term credentials allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. This mode also does not require connectivity to services such as the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade.
17
17
18
18
For information about configuring your cloud provider to use manual mode, see the manual credentials management options for your cloud provider.
19
19
20
-
[id="manual-mode-sts_{context}"]
21
-
== Manual mode with cloud credentials created and managed outside of the cluster
22
-
23
-
An AWS or GCP cluster that uses manual mode might be configured to create and manage cloud credentials from outside of the cluster using the AWS Security Token Service (STS) or GCP Workload Identity. With this configuration, the CCO uses short-term credentials for different components.
24
-
25
-
For more information, see xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds[Manual mode with short-term credentials for components].
20
+
[NOTE]
21
+
====
22
+
An AWS, global Azure, or GCP cluster that uses manual mode might be configured to use short-term credentials for different components. For more information, see xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds[Manual mode with short-term credentials for components].
0 commit comments