add operator roles for platform workload identity

Azure · Nov 5, 2024 · 81c785e · 81c785e
1 parent 5300ea9
commit 81c785e
Show file tree

Hide file tree

Showing 4 changed files with 191 additions and 1 deletion.
diff --git a/.github/workflows/aro-hcp-cd.yml b/.github/workflows/aro-hcp-cd.yml
@@ -81,6 +81,9 @@
             # Manage ACR
             make acr-svc acr-ocp
 
+            # Setup operator roles for platform workload identity
+            make operator-roles
+
     deploy_image_sync_rg:
       name: 'Deploy Image Sync'
       if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'

diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile
@@ -459,11 +459,32 @@ secrets-yes-i-want-to-update-the-shared-secrets:
 	rm secrets.tar.gz
 .PHONY: secrets-yes-i-want-to-update-the-shared-secrets
 
+#
+# Operator roles for platform workload identity
+#
+
+operator-roles:
+	az deployment sub create \
+	    --location westus3 \
+		--name operator-roles \
+		--template-file templates/dev-operator-roles.bicep \
+		$(PROMPT_TO_CONFIRM) \
+		--parameters configurations/dev-operator-roles.bicepparam
+.PHONY: operator-roles
+
+operator-roles.what-if:
+	az deployment sub what-if \
+	    --location westus3 \
+		--name operator-roles \
+		--template-file templates/dev-operator-roles.bicep \
+		--parameters configurations/dev-operator-roles.bicepparam
+.PHONY: operator-roles.what-if
+
 #
 # Common
 #
 
-what-if: acr-svc.what-if acr-ocp.what-if region.what-if svc.what-if mgmt.what-if metrics-infra.what-if imagesync.what-if
+what-if: acr-svc.what-if acr-ocp.what-if region.what-if svc.what-if mgmt.what-if metrics-infra.what-if imagesync.what-if operator-roles.what-if
 .PHONY: what-if
 
 infra: region svc.init mgmt.init

diff --git a/dev-infrastructure/configurations/dev-operator-roles.bicepparam b/dev-infrastructure/configurations/dev-operator-roles.bicepparam
@@ -0,0 +1,138 @@
+using '../templates/dev-operator-roles.bicep'
+
+param roles = [
+  {
+    roleName: 'Azure Red Hat OpenShift Cloud Controller Manager - Dev'
+    roleDescription: 'Enables permissions for the operator to manage and update the cloud controller managers deployed on top of OpenShift.'
+    actions: [
+      'Microsoft.Compute/virtualMachines/read'
+      'Microsoft.Network/loadBalancers/read'
+      'Microsoft.Network/loadBalancers/write'
+      'Microsoft.Network/networkInterfaces/read'
+      'Microsoft.Network/networkSecurityGroups/read'
+      'Microsoft.Network/networkSecurityGroups/write'
+      'Microsoft.Network/publicIPAddresses/join/action'
+      'Microsoft.Network/publicIPAddresses/read'
+      'Microsoft.Network/publicIPAddresses/write'
+      'Microsoft.Network/virtualNetworks/subnets/join/action'
+      'Microsoft.Network/virtualNetworks/subnets/read'
+      'Microsoft.Network/loadBalancers/backendAddressPools/join/action'
+      'Microsoft.Network/networkInterfaces/write'
+    ]
+    notActions: []
+    dataActions: []
+    notDataActions: []
+  }
+  {
+    roleName: 'Azure Red Hat OpenShift Cluster Ingress Operator - Dev'
+    roleDescription: 'Enables permissions for the operator to configure and manage the OpenShift router.'
+    actions: [
+      'Microsoft.Network/dnsZones/A/delete'
+      'Microsoft.Network/dnsZones/A/write'
+      'Microsoft.Network/privateDnsZones/A/delete'
+      'Microsoft.Network/privateDnsZones/A/write'
+      'Microsoft.Network/virtualNetworks/subnets/read'
+      'Microsoft.Network/virtualNetworks/subnets/join/action'
+    ]
+    notActions: []
+    dataActions: []
+    notDataActions: []
+  }
+  {
+    roleName: 'Azure Red Hat OpenShift Disk Storage Operator - Dev'
+    roleDescription: 'Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use various storage backends.'
+    actions: [
+      'Microsoft.Compute/virtualMachines/write'
+      'Microsoft.Compute/virtualMachines/read'
+      'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write'
+      'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read'
+      'Microsoft.Compute/virtualMachineScaleSets/read'
+      'Microsoft.Compute/snapshots/write'
+      'Microsoft.Compute/snapshots/read'
+      'Microsoft.Compute/snapshots/delete'
+      'Microsoft.Compute/locations/operations/read'
+      'Microsoft.Compute/locations/DiskOperations/read'
+      'Microsoft.Compute/disks/write'
+      'Microsoft.Compute/disks/read'
+      'Microsoft.Compute/disks/delete'
+      'Microsoft.Resources/subscriptions/resourceGroups/read'
+    ]
+    notActions: []
+    dataActions: []
+    notDataActions: []
+  }
+  {
+    roleName: 'Azure Red Hat OpenShift File Storage Operator - Dev'
+    roleDescription: 'Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use Azure Files.'
+    actions: [
+      'Microsoft.Storage/storageAccounts/delete'
+      'Microsoft.Storage/storageAccounts/fileServices/read'
+      'Microsoft.Storage/storageAccounts/fileServices/shares/delete'
+      'Microsoft.Storage/storageAccounts/fileServices/shares/read'
+      'Microsoft.Storage/storageAccounts/fileServices/shares/write'
+      'Microsoft.Storage/storageAccounts/listKeys/action'
+      'Microsoft.Storage/storageAccounts/read'
+      'Microsoft.Storage/storageAccounts/write'
+      'Microsoft.Network/networkSecurityGroups/join/action'
+      'Microsoft.Network/virtualNetworks/subnets/read'
+      'Microsoft.Network/virtualNetworks/subnets/write'
+    ]
+    notActions: []
+    dataActions: []
+    notDataActions: []
+  }
+  {
+    roleName: 'Azure Red Hat OpenShift Network Operator - Dev'
+    roleDescription: 'Enables permissions to install and upgrade the networking components on an OpenShift cluster.'
+    actions: [
+      'Microsoft.Network/networkInterfaces/read'
+      'Microsoft.Network/networkInterfaces/write'
+      'Microsoft.Network/virtualNetworks/read'
+      'Microsoft.Network/virtualNetworks/subnets/join/action'
+      'Microsoft.Network/loadBalancers/backendAddressPools/join/action'
+      'Microsoft.Compute/virtualMachines/read'
+    ]
+    notActions: []
+    dataActions: []
+    notDataActions: []
+  }
+  {
+    roleName: 'Azure Red Hat OpenShift Image Registry Operator - Dev'
+    roleDescription: 'Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry including creating storage.'
+    actions: [
+      'Microsoft.Storage/storageAccounts/blobServices/read'
+      'Microsoft.Storage/storageAccounts/blobServices/containers/read'
+      'Microsoft.Storage/storageAccounts/blobServices/containers/write'
+      'Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action'
+      'Microsoft.Storage/storageAccounts/read'
+      'Microsoft.Storage/storageAccounts/write'
+      'Microsoft.Storage/storageAccounts/delete'
+      'Microsoft.Storage/storageAccounts/listKeys/action'
+      'Microsoft.Resources/tags/write'
+      'Microsoft.Network/privateEndpoints/write'
+      'Microsoft.Network/privateEndpoints/read'
+      'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write'
+      'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read'
+      'Microsoft.Network/privateDnsZones/read'
+      'Microsoft.Network/privateDnsZones/write'
+      'Microsoft.Network/privateDnsZones/join/action'
+      'Microsoft.Network/privateDnsZones/A/write'
+      'Microsoft.Network/privateDnsZones/virtualNetworkLinks/write'
+      'Microsoft.Network/privateDnsZones/virtualNetworkLinks/read'
+      'Microsoft.Network/networkInterfaces/read'
+      'Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action'
+      'Microsoft.Network/virtualNetworks/subnets/read'
+      'Microsoft.Network/virtualNetworks/subnets/join/action'
+      'Microsoft.Network/virtualNetworks/join/action'
+    ]
+    notActions: []
+    dataActions: [
+      'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'
+      'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'
+      'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'
+      'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'
+      'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action'
+    ]
+    notDataActions: []
+  }
+]
diff --git a/dev-infrastructure/templates/dev-operator-roles.bicep b/dev-infrastructure/templates/dev-operator-roles.bicep
@@ -0,0 +1,28 @@
+// CustomRoles for Platform Workload Identities for development environment
+
+targetScope = 'subscription'
+
+@description('Array of roles for platform workload identity')
+param roles array = []
+
+resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = [
+  for role in roles: {
+    name: guid(role.roleName)
+    properties: {
+      roleName: role.roleName
+      description: role.roleDescription
+      type: 'CustomRole'
+      permissions: [
+        {
+          actions: role.actions
+          notActions: role.notActions
+          dataActions: role.dataActions
+          notDataActions: role.notDataActions
+        }
+      ]
+      assignableScopes: [
+        subscription().id
+      ]
+    }
+  }
+]