Details
-
Bug
-
Resolution: Done
-
Critical
-
4.15
-
Low
-
No
-
False
-
-
-
Bug Fix
-
Done
Description
Rather than create custom roles per-cluster, as is currently implemented for GCP, ccoctl should create custom roles per-project due to custom role deletion policies. When a custom role is deleted in GCP it continues to exist and contributes to quota for 7 days. Custom roles are not permanently deleted for up to 14 days after deletion ref: https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role.
Deletion should ignore these per-project custom roles by default and provide an optional flag to delete them.
Since the custom roles must be created per-project, deltas in permissions must be additive. We can't remove permissions with these restrictions since previous versions may rely on those custom role permissions.
Post a warning/info message regarding the permission delta so that users are aware that there are extra permissions and they can clean them up possibly if they're sure they aren't being utilized.
Attachments
Issue Links
- blocks
-
OCPCLOUD-1718 Update GCP Credentials Request manifests of the OpenShift components to use new API field for requesting permissions
- Closed
-
SDN-4158 Update GCP Credentials Request manifest of the Cluster Network Operator to use new API field for requesting permissions
- Closed
-
IR-408 Update GCP Credentials Request manifest of the Cluster Image Registry Operator to use new API field for requesting permissions
- Closed
-
OCPCLOUD-1725 Update GCP Credentials Request manifest of the Machine API Operator to use new API field for requesting permissions
- Closed
-
OCPCLOUD-1724 Update GCP Credentials Request manifest of the Cloud Controller Manager Operator to use new API field for requesting permissions
- Closed
-
OCPCLOUD-1726 Update GCP Credentials Request manifest of the Cluster CAPI Operator to use new API field for requesting permissions
- Closed
-
CCO-244 Update GCP Credentials Request manifest of the Cloud Credentials Operator to use new API field for requesting permissions
- Closed
-
CCO-246 Update GCP Credentials Request manifest of the Cloud Controller Manager Operator to use new API field for requesting permissions
- Closed
-
CCO-247 Update GCP Credentials Request manifest of the Machine API Operator to use new API field for requesting permissions
- Closed
-
CCO-249 Update GCP Credentials Request manifest of the Cluster Ingress Operator to use new API field for requesting permissions
- Closed
-
CCO-251 Update GCP Credentials Request manifest of the Cluster Storage Operator to use new API field for requesting permissions
- Closed
-
CCO-252 Update GCP Credentials Request manifest of the Cluster CAPI Operator to use new API field for requesting permissions
- Closed
- links to