Skip to content

Commit 77db096

Browse files
shyamradhakrishnanshyamradhakrishnan
authored
Add instructions for Workload identity policies (#358)
* Add instructions for Workload identity policies
1 parent 5432b75 commit 77db096

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

docs/src/gs/multi-tenancy.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ spec shown below uses Instance Principals.
7474

7575
```yaml
7676
---
77+
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
7778
kind: OCIClusterIdentity
7879
metadata:
7980
name: cluster-identity
@@ -90,6 +91,7 @@ Cluster Identity supports [Workload][workload] access to OCI resources also know
9091

9192
```yaml
9293
---
94+
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
9395
kind: OCIClusterIdentity
9496
metadata:
9597
name: cluster-identity
@@ -98,6 +100,15 @@ spec:
98100
type: Workload
99101
allowedNamespaces: {}
100102
```
103+
CAPOCI, by default create a Service Account `capoci-controller-manager` in namespace `cluster-api-provider-oci-system`.
104+
Workload identity needs to have policies required to create OKE or Self managed clusters. For example, the following
105+
policies will provide Workload identity with permissions to create OKE cluster.
106+
- `Allow any-user to manage virtual-network-family in compartment <compartment> where all { request.principal.type = 'workload', request.principal.namespace = 'cluster-api-provider-oci-system', request.principal.service_account = 'capoci-controller-manager'}`
107+
- `Allow any-user to manage cluster-family in compartment <compartment> where all { request.principal.type = 'workload', request.principal.namespace = 'cluster-api-provider-oci-system', request.principal.service_account = 'capoci-controller-manager'}`
108+
- `Allow any-user to manage volume-family in compartment <compartment> where all { request.principal.type = 'workload', request.principal.namespace = 'cluster-api-provider-oci-system', request.principal.service_account = 'capoci-controller-manager'}`
109+
- `Allow any-user to manage instance-family in compartment <compartment> where all { request.principal.type = 'workload', request.principal.namespace = 'cluster-api-provider-oci-system', request.principal.service_account = 'capoci-controller-manager'}`
110+
- `Allow any-user to inspect compartments in compartment <compartment> where all { request.principal.type = 'workload', request.principal.namespace = 'cluster-api-provider-oci-system', request.principal.service_account = 'capoci-controller-manager'}`
111+
101112

102113
[iam-user]: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#Required_Keys_and_OCIDs
103114
[instance-principals]: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm

0 commit comments

Comments
 (0)