Configuring IAM for IBM Cloud VPC

    The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the parameter in the install-config.yaml file.

    Storing an administrator-level credential secret in the cluster kube-system project is not supported for IBM Cloud; therefore, you must set the credentialsMode parameter for the CCO to Manual when installing OKD and manage your cloud credentials manually.

    Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.

    Additional resources

    To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.

    Prerequisites

    • You have access to an OKD account with cluster administrator access.

    • You have installed the OpenShift CLI (oc).

    Procedure

    1. Obtain the OKD release image by running the following command:

      1. $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)

      Ensure that the architecture of the $RELEASE_IMAGE matches the architecture of the environment in which you will use the ccoctl tool.

    3. Change the permissions to make ccoctl executable by running the following command:

      1. $ chmod 775 ccoctl

    Verification

    • To verify that ccoctl is ready to use, display the help file by running the following command:

      1. OpenShift credentials provisioning tool
      3. Usage:
      4.   ccoctl [command]
      6. Available Commands:
      8.   gcp          Manage credentials objects for Google cloud
      9.   help         Help about any command
      10.   ibmcloud     Manage credentials objects for IBM Cloud
      11.   nutanix      Manage credentials objects for Nutanix
      13. Flags:
      14.   -h, --help   help for ccoctl
      16. Use "ccoctl [command] --help" for more information about a command.

    Additional resources