×

Before you install OpenShift Container Platform, you must use the Alibaba Cloud console to create a Resource Access Management (RAM) user that has sufficient permissions to install OpenShift Container Platform into your Alibaba Cloud. This user must also have permissions to create new RAM users. You can also configure and use the ccoctl tool to create new credentials for the OpenShift Container Platform components with the permissions that they require.

Alibaba Cloud on OpenShift Container Platform is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Creating the required RAM user

You must have a Alibaba Cloud Resource Access Management (RAM) user for the installation that has sufficient privileges. You can use the Alibaba Cloud Resource Access Management console to create a new user or modify an existing user. Later, you create credentials in OpenShift Container Platform based on this user’s permissions.

When you configure the RAM user, be sure to consider the following requirements:

  • The user must have an Alibaba Cloud AccessKey ID and AccessKey secret pair.

    • For a new user, you can select Open API Access for the Access Mode when creating the user. This mode generates the required AccessKey pair.

    • For an existing user, you can add an AccessKey pair or you can obtain the AccessKey pair for that user.

      When created, the AccessKey secret is displayed only once. You must immediately save the AccessKey pair because the AccessKey pair is required for API calls.

  • Add the AccessKey ID and secret to the ~/.alibabacloud/credentials file on your local computer. Alibaba Cloud automatically creates this file when you log in to the console. The Cloud Credential Operator (CCO) utility, ccoutil, uses these credentials when processing Credential Request objects.

    For example:

    [default]                          # Default client
    type = access_key                  # Certification type: access_key
    access_key_id = LTAI5t8cefXKmt                # Key (1)
    access_key_secret = wYx56mszAN4Uunfh            # Secret
    1 Add your AccessKeyID and AccessKeySecret here.
  • The RAM user must have the AdministratorAccess policy to ensure that the account has sufficient permission to create the OpenShift Container Platform cluster. This policy grants permissions to manage all Alibaba Cloud resources.

    When you attach the AdministratorAccess policy to a RAM user, you grant that user full access to all Alibaba Cloud services and resources. If you do not want to create a user with full access, create a custom policy with the following actions that you can add to your RAM user for installation. These actions are sufficient to install OpenShift Container Platform.

    You can copy and paste the following JSON code into the Alibaba Cloud console to create a custom poicy. For information on creating custom policies, see Create a custom policy in the Alibaba Cloud documentation.

    Example custom policy JSON file
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "tag:ListTagResources",
            "tag:UntagResources"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DeleteVpc",
            "vpc:DescribeVSwitches",
            "vpc:DeleteVSwitch",
            "vpc:DescribeEipAddresses",
            "vpc:DescribeNatGateways",
            "vpc:ReleaseEipAddress",
            "vpc:DeleteNatGateway",
            "vpc:DescribeSnatTableEntries",
            "vpc:CreateSnatEntry",
            "vpc:AssociateEipAddress",
            "vpc:ListTagResources",
            "vpc:TagResources",
            "vpc:DescribeVSwitchAttributes",
            "vpc:CreateVSwitch",
            "vpc:CreateNatGateway",
            "vpc:DescribeRouteTableList",
            "vpc:CreateVpc",
            "vpc:AllocateEipAddress",
            "vpc:ListEnhanhcedNatGatewayAvailableZones"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:ModifyInstanceAttribute",
            "ecs:DescribeSecurityGroups",
            "ecs:DeleteSecurityGroup",
            "ecs:DescribeSecurityGroupReferences",
            "ecs:DescribeSecurityGroupAttribute",
            "ecs:RevokeSecurityGroup",
            "ecs:DescribeInstances",
            "ecs:DeleteInstances",
            "ecs:DescribeNetworkInterfaces",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeUserData",
            "ecs:DescribeDisks",
            "ecs:ListTagResources",
            "ecs:AuthorizeSecurityGroup",
            "ecs:RunInstances",
            "ecs:TagResources",
            "ecs:ModifySecurityGroupPolicy",
            "ecs:CreateSecurityGroup",
            "ecs:DescribeAvailableResource",
            "ecs:DescribeRegions",
            "ecs:AttachInstanceRamRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "pvtz:DescribeRegions",
            "pvtz:DescribeZones",
            "pvtz:DeleteZone",
            "pvtz:DeleteZoneRecord",
            "pvtz:BindZoneVpc",
            "pvtz:DescribeZoneRecords",
            "pvtz:AddZoneRecord",
            "pvtz:SetZoneRecordStatus",
            "pvtz:DescribeZoneInfo",
            "pvtz:DescribeSyncEcsHostTask",
            "pvtz:AddZone"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "slb:DescribeLoadBalancers",
            "slb:SetLoadBalancerDeleteProtection",
            "slb:DeleteLoadBalancer",
            "slb:SetLoadBalancerModificationProtection",
            "slb:DescribeLoadBalancerAttribute",
            "slb:AddBackendServers",
            "slb:DescribeLoadBalancerTCPListenerAttribute",
            "slb:SetLoadBalancerTCPListenerAttribute",
            "slb:StartLoadBalancerListener",
            "slb:CreateLoadBalancerTCPListener",
            "slb:ListTagResources",
            "slb:TagResources",
            "slb:CreateLoadBalancer"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:ListResourceGroups",
            "ram:DeleteResourceGroup",
            "ram:ListPolicyAttachments",
            "ram:DetachPolicy",
            "ram:GetResourceGroup",
            "ram:CreateResourceGroup",
            "ram:DeleteRole",
            "ram:GetPolicy",
            "ram:DeletePolicy",
            "ram:ListPoliciesForRole",
            "ram:CreateRole",
            "ram:AttachPolicyToRole",
            "ram:GetRole",
            "ram:CreatePolicy",
            "ram:CreateUser",
            "ram:DetachPolicyFromRole",
            "ram:CreatePolicyVersion",
            "ram:DetachPolicyFromUser",
            "ram:ListPoliciesForUser",
            "ram:AttachPolicyToUser",
            "ram:CreateUser",
            "ram:GetUser",
            "ram:DeleteUser",
            "ram:CreateAccessKey",
            "ram:ListAccessKeys",
            "ram:DeleteAccessKey",
            "ram:ListUsers",
            "ram:ListPolicyVersions"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:DeleteBucket",
            "oss:DeleteBucketTagging",
            "oss:GetBucketTagging",
            "oss:GetBucketCors",
            "oss:GetBucketPolicy",
            "oss:GetBucketLifecycle",
            "oss:GetBucketReferer",
            "oss:GetBucketTransferAcceleration",
            "oss:GetBucketLog",
            "oss:GetBucketWebSite",
            "oss:GetBucketInfo",
            "oss:PutBucketTagging",
            "oss:PutBucket",
            "oss:OpenOssService",
            "oss:ListBuckets",
            "oss:GetService",
            "oss:PutBucketACL",
            "oss:GetBucketLogging",
            "oss:ListObjects",
            "oss:GetObject",
            "oss:PutObject",
            "oss:DeleteObject"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "alidns:DescribeDomainRecords",
            "alidns:DeleteDomainRecord",
            "alidns:DescribeDomains",
            "alidns:DescribeDomainRecordInfo",
            "alidns:AddDomainRecord",
            "alidns:SetDomainRecordStatus"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "bssapi:CreateInstance",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:PassRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": "ecs.aliyuncs.com"
            }
          }
        }
      ]
    }

For more information about creating a RAM user and granting permissions, see Create a RAM user and Grant permissions to a RAM user in the Alibaba Cloud documentation.

Configuring the Cloud Credential Operator utility

To assign RAM users and policies that provide long-term RAM AccessKeys (AKs) for each in-cluster component, extract and prepare the Cloud Credential Operator (CCO) utility (ccoctl) binary.

The ccoctl utility is a Linux binary that must run in a Linux environment.

Prerequisites
  • You have access to an OpenShift Container Platform account with cluster administrator access.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Set a variable for the OpenShift Container Platform release image by running the following command:

    $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
  2. Obtain the CCO container image from the OpenShift Container Platform release image by running the following command:

    $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)

    Ensure that the architecture of the $RELEASE_IMAGE matches the architecture of the environment in which you will use the ccoctl tool.

  3. Extract the ccoctl binary from the CCO container image within the OpenShift Container Platform release image by running the following command:

    $ oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
  4. Change the permissions to make ccoctl executable by running the following command:

    $ chmod 775 ccoctl
Verification
  • To verify that ccoctl is ready to use, display the help file. Use a relative file name when you run the command, for example:

    $ ./ccoctl.rhel9
    Example output
    OpenShift credentials provisioning tool
    
    Usage:
      ccoctl [command]
    
    Available Commands:
      alibabacloud Manage credentials objects for alibaba cloud
      aws          Manage credentials objects for AWS cloud
      azure        Manage credentials objects for Azure
      gcp          Manage credentials objects for Google cloud
      help         Help about any command
      ibmcloud     Manage credentials objects for IBM Cloud
      nutanix      Manage credentials objects for Nutanix
    
    Flags:
      -h, --help   help for ccoctl
    
    Use "ccoctl [command] --help" for more information about a command.

Next steps