-
Epic
-
Resolution: Done
-
Major
-
None
-
GCP role enhancement - ph 2
-
BU Product Work
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-243 - Custom roles for GCP Workload Identity
-
OCPSTRAT-243Custom roles for GCP Workload Identity
-
0% To Do, 0% In Progress, 100% Done
-
Approved
These are phase 2 items from CCO-188
Moving items from other teams that need to be committed to for 4.13 this work to complete
Epic Goal
- Request to build list of specific permissions to run openshift on GCP - Components grant roles, but we need more granularity - Custom roles now allow ability to do this compared to when permissions capabilities were originally written for GCP
Why is this important?
- Some of the service accounts that CCO creates, e.g. service account with role roles/iam.serviceAccountUser provides elevated permissions that are not required/used by the requesting OpenShift components. This is because we use predefined roles for GCP that come with bunch of additional permissions. The goal is to create custom roles with only the required permissions.Â
- blocks
-
OCPSTRAT-922 CloudCredentialOperator-based flow for OLM-managed operators and GCP WIF
- Closed
- incorporates
-
OCPCLOUD-1718 Update GCP Credentials Request manifests of the OpenShift components to use new API field for requesting permissions
- Closed
-
SDN-4158 Update GCP Credentials Request manifest of the Cluster Network Operator to use new API field for requesting permissions
- Closed
-
IR-408 Update GCP Credentials Request manifest of the Cluster Image Registry Operator to use new API field for requesting permissions
- Closed
-
OCPCLOUD-1725 Update GCP Credentials Request manifest of the Machine API Operator to use new API field for requesting permissions
- Closed
-
OCPCLOUD-1724 Update GCP Credentials Request manifest of the Cloud Controller Manager Operator to use new API field for requesting permissions
- Closed
-
OCPCLOUD-1726 Update GCP Credentials Request manifest of the Cluster CAPI Operator to use new API field for requesting permissions
- Closed
-
SDN-4227 Update GCP Credentials Request manifest for CNCC
- Closed
- is blocked by
-
CCO-188 GCP openshift role granularity enhancement - phase 1
- Closed
-
OCPCLOUD-1718 Update GCP Credentials Request manifests of the OpenShift components to use new API field for requesting permissions
- Closed
- is related to
-
CORS-1871 Determine and Document the explicit list of required credential permissions for GCP
- Release Pending
-
OCPBUGS-24684 CIRO should use granular roles on GCP
- Closed
- relates to
-
OCPCLOUD-1718 Update GCP Credentials Request manifests of the OpenShift components to use new API field for requesting permissions
- Closed
-
SDN-4158 Update GCP Credentials Request manifest of the Cluster Network Operator to use new API field for requesting permissions
- Closed
-
OCPBUGS-23178 cloud-credential-operator cannot add new grants to deleted gcp role
- Closed
-
OCPBUGS-24613 GCP error syncing creds in mint-mode, can't create a role_id which has been marked for deletion
- Closed
-
OCPBUGS-25655 [gcp] perms errors
- Closed
- links to