-
Epic
-
Resolution: Done
-
Major
-
None
-
GCP role enhancement - ph 2
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-243 - Custom roles for GCP Workload Identity
-
-
100
-
100%
-
Approved
These are phase 2 items from CCO-188
Moving items from other teams that need to be committed to for 4.13 this work to complete
Epic Goal
- Request to build list of specific permissions to run openshift on GCP - Components grant roles, but we need more granularity - Custom roles now allow ability to do this compared to when permissions capabilities were originally written for GCP
Why is this important?
- Some of the service accounts that CCO creates, e.g. service account with role roles/iam.serviceAccountUser provides elevated permissions that are not required/used by the requesting OpenShift components. This is because we use predefined roles for GCP that come with bunch of additional permissions. The goal is to create custom roles with only the required permissions.Â
- blocks
-
OCPSTRAT-922 CloudCredentialOperator-based flow for OLM-managed operators and GCP WIF
-
- New
-
- incorporates
-
-
- Closed
-
-
-
- Closed
-
-
IR-408 Update GCP Credentials Request manifest of the Cluster Image Registry Operator to use new API field for requesting permissions
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
-
-
- Closed
-
- is related to
-
-
- Release Pending
-
-
OCPBUGS-24684 CIRO should use granular roles on GCP
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Verified
-
-
-
- Closed
-
-
-
- Closed
-
