Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Critical
Fix Version/s: openshift-4.16
Affects Version/s: None
Component/s: None
Labels:
None

Story Points:
1
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
GCP role granularity
Feature Link:
OCPSTRAT-243 - Custom roles for GCP Workload Identity

Sprint:
Sprint 244, Sprint 245, Sprint 246

Target Version:

openshift-4.15

SFDC Cases Links:
SFDC Cases Counter:

Evaluate if any of the GCP predefined roles in the credentials request manifest of Cluster Image Registry Operator give elevated permissions. Remove any such predefined role from spec.predefinedRoles field and replace it with required permissions in the new spec.permissions field.

The new GCP provider spec for credentials request CR is as follows:

type GCPProviderSpec struct {
   metav1.TypeMeta `json:",inline"`
   // PredefinedRoles is the list of GCP pre-defined roles
   // that the CredentialsRequest requires.
   PredefinedRoles []string `json:"predefinedRoles"`
   // Permissions is the list of GCP permissions required to
   // create a more fine-grained custom role to satisfy the
   // CredentialsRequest.
   // When both Permissions and PredefinedRoles are specified
   // service account will have union of permissions from
   // both the fields
   Permissions []string `json:"permissions"`
   // SkipServiceCheck can be set to true to skip the check whether the requested roles or permissions
   // have the necessary services enabled
   // +optional
   SkipServiceCheck bool `json:"skipServiceCheck,omitempty"`
}

we can use the following command to check permissions associated with a GCP predefined role

gcloud iam roles describe <role_name>

The sample output for role roleViewer is as follows. The permission are listed in "includedPermissions" field.

[akhilrane@localhost cloud-credential-operator]$ gcloud iam roles describe roles/iam.roleViewer
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA

is blocked by

OCPBUGS-28850 Implement per-project custom role creation in ccoctl

Closed

is incorporated by

CCO-285 GCP openshift role granularity enhancement - phase 2

Closed

is related to

OCPBUGS-24684 CIRO should use granular roles on GCP

Closed

OCPBUGS-25038 CIRO should use granular roles on GCP

Closed

links to

https://github.com/openshift/cluster-image-registry-operator/pull/965

openshift/cluster-image-registry-operator#935: IR-408: request individual permissions for gcs

openshift/cluster-image-registry-operator#967: CCO-248: Revert "Merge pull request #965 from jstuever/TRT-1368"

openshift/cluster-image-registry-operator#972: [release-4.15] OCPBUGS-24684: Revert "Merge pull request #965 from jstuever/TRT-1368"

(3 links to)

Assignee:: Flavian Missi

Reporter:: Akhil Rane (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2022/08/15 6:42 PM

Updated:: 2023/12/15 1:57 PM

Resolved:: 2023/12/15 1:57 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates