Über Open CoDE Software Wiki Diskussionen GitLab

Skip to content

Use unrestricted app cred for capi mgmt node and 2ndary restricted app creds for capo and for CSI and OCCM

Created by: garloff

We should have capability to create further app creds for clusters on the capi mgmt node. This is a first step into managing clusters across clouds from the same mgmt node.

We should then create two (!) restricted app creds per cluster:

  • One is for capo: This one can not be accessed / abused from within the workload cluster.
  • One if for CSI and OCCM, allowing create OpenStack resources (loadbalancers, volumes, ...) from within the workload cluster

The latter is subject to abuse if hostile users within the cluster want to do evil things. So be prepared to independently revoke these app creds.