Osa cluster admin #9058
Osa cluster admin #9058
Conversation
* adding cluster admin option to osa create * adding direcctory read permissions to the aad app * making active directory app always require directory permissions * infra node to 3
* adding cluster admin option to osa create * adding direcctory read permissions to the aad app * making app always require directory permissions * clean + infra node to 3 * fixing typo * using new version of acs python sdk
mboersma
left a comment
mboersma
left a comment
There was a problem hiding this comment.
Looks good Jack, I had a couple minor comments.
| short-summary: The CIDR used on the Subnet into which to deploy the cluster. | ||
| - name: --customer-admin-group-id | ||
| type: string | ||
| short-summary: The ID of an Azure Active Directory Group that memberships will get synced into the OpenShift group "osa-customer-admins". If not specified no cluster admin access will be granted |
There was a problem hiding this comment.
Could you change the second sentence here to have a comma and end with a period?
If not specified, no cluster admin access will be granted.
There was a problem hiding this comment.
looks like this was already updated
| agent_infra_pool_profile = OpenShiftManagedClusterAgentPoolProfile( | ||
| name='infra', # Must be 12 chars or less before ACS RP adds to it | ||
| count=int(2), | ||
| count=int(3), |
There was a problem hiding this comment.
Does this change the default node pool count from 2 to 3? That seems like a significant change (not related to this PR). Maybe it should be mentioned separately in the release notes.
There was a problem hiding this comment.
Yes, we agreed on this to switch from 2 to 3
yugangw-msft
left a comment
yugangw-msft
left a comment
There was a problem hiding this comment.
A few minor comments. Please address and I will merge
|
|
||
| 2.3.20 | ||
| ++++++ | ||
| * adding customer-admin-group-id flag to az osa create |
There was a problem hiding this comment.
please move to the top
There was a problem hiding this comment.
thanks, moved to top as 2.3.22 and bumped version
| short-summary: The CIDR used on the Subnet into which to deploy the cluster. | ||
| - name: --customer-admin-group-id | ||
| type: string | ||
| short-summary: The ID of an Azure Active Directory Group that memberships will get synced into the OpenShift group "osa-customer-admins". If not specified, no cluster admin access will be granted. |
There was a problem hiding this comment.
i believe it should be the object id of the AAD group? If yes, please make it clear
| - name: Create an OpenShift cluster and auto create an AAD Client | ||
| text: az openshift create -g MyResourceGroup -n MyManagedCluster --fqdn {FQDN} | ||
| - name: Create an OpenShift cluster and auto create an AAD Client and setup cluster admin group | ||
| text: az openshift create -g MyResourceGroup -n MyManagedCluster --fqdn {FQDN} --customer-admin-group-id {GROUP_ID} |
There was a problem hiding this comment.
This is going to be incompatible with PR #9083 which removes FQDN.
There was a problem hiding this comment.
@tjprescott FQDN is not being removed. Its being made optional. PR #9083 will be done on top of this PR.
| additional_properties=None, type="Scope") | ||
| required_osa_aad_access = RequiredResourceAccess(resource_access=[resource_access], | ||
| # Read directory permissions on Windows Azure Active Directory API | ||
| directory_access = ResourceAccess(id="5778995a-e1bf-45b8-affa-663a9f3f4d04", |
There was a problem hiding this comment.
What is this hard-coded ID?
@tjprescott these are scope GUIDs for programmatic use and represent various permissions: https://docs.microsoft.com/en-us/graph/permissions-reference. Currently there isn't a straightforward documentation from AAD for this and this is obtained by looking at currently configured apps in AAD.
# Conflicts: # src/command_modules/azure-cli-acs/HISTORY.rst # src/command_modules/azure-cli-acs/setup.py
|
@yugangw-msft @mboersma comments addressed by @sozercan. PTAL |
|
From the CI failures, maybe we just need to re-record the Edit: or all of them. |
This reverts commit 8643736.
# Conflicts: # src/command_modules/azure-cli-acs/setup.py
|
@tjprescott any ideas why |
|
@tjprescott @yugangw-msft tests are green now |
7 participants
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).
I adhere to the Command Guidelines.