Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28850

Implement per-project custom role creation in ccoctl

    XMLWordPrintable

Details

    • Low
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Cloud Credential Operator utility (`ccoctl`) created custom GCP roles at the cluster level, so each cluster contributed to the quota limit on the number of allowed custom roles. Because of GCP deletion policies, deleted custom roles continue to contribute to the quota limit for many days after they are deleted. With this release, custom roles are added at the project level instead of the cluster level to reduce the total number of custom roles created. Additionally, an option to clean up custom roles is now available when deleting the GCP resources that the `ccoctl` utility creates during installation. These changes can help avoid reaching the quota limit on the number of allowed custom roles. (link:https://issues.redhat.com/browse/OCPBUGS-28850[*OCPBUGS-28850*])
      Show
      * Previously, the Cloud Credential Operator utility (`ccoctl`) created custom GCP roles at the cluster level, so each cluster contributed to the quota limit on the number of allowed custom roles. Because of GCP deletion policies, deleted custom roles continue to contribute to the quota limit for many days after they are deleted. With this release, custom roles are added at the project level instead of the cluster level to reduce the total number of custom roles created. Additionally, an option to clean up custom roles is now available when deleting the GCP resources that the `ccoctl` utility creates during installation. These changes can help avoid reaching the quota limit on the number of allowed custom roles. (link: https://issues.redhat.com/browse/OCPBUGS-28850 [* OCPBUGS-28850 *])
    • Bug Fix
    • Done

    Description

      Rather than create custom roles per-cluster, as is currently implemented for GCP, ccoctl should create custom roles per-project due to custom role deletion policies. When a custom role is deleted in GCP it continues to exist and contributes to quota for 7 days. Custom roles are not permanently deleted for up to 14 days after deletion ref: https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role.

      Deletion should ignore these per-project custom roles by default and provide an optional flag to delete them.

      Since the custom roles must be created per-project, deltas in permissions must be additive. We can't remove permissions with these restrictions since previous versions may rely on those custom role permissions.

      Post a warning/info message regarding the permission delta so that users are aware that there are extra permissions and they can clean them up possibly if they're sure they aren't being utilized.

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. OCPCLOUD-1718 Update GCP Credentials Request manifests of the OpenShift components to use new API field for requesting permissions

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. SDN-4158 Update GCP Credentials Request manifest of the Cluster Network Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. IR-408 Update GCP Credentials Request manifest of the Cluster Image Registry Operator to use new API field for requesting permissions

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OCPCLOUD-1725 Update GCP Credentials Request manifest of the Machine API Operator to use new API field for requesting permissions

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OCPCLOUD-1724 Update GCP Credentials Request manifest of the Cloud Controller Manager Operator to use new API field for requesting permissions

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OCPCLOUD-1726 Update GCP Credentials Request manifest of the Cluster CAPI Operator to use new API field for requesting permissions

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-244 Update GCP Credentials Request manifest of the Cloud Credentials Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-246 Update GCP Credentials Request manifest of the Cloud Controller Manager Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-247 Update GCP Credentials Request manifest of the Machine API Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-249 Update GCP Credentials Request manifest of the Cluster Ingress Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-251 Update GCP Credentials Request manifest of the Cluster Storage Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-252 Update GCP Credentials Request manifest of the Cluster CAPI Operator to use new API field for requesting permissions

          • Undefined - Priority not specified.
          • Closed
          links to

          GitHub openshift/cloud-credential-operator#611: CCO-430: Use per-project custom roles instead of per-cluster custom roles

          GitHub openshift/cloud-credential-operator#631: [release-4.14] CCO-430: Use per-project custom roles instead of per-cluster custom roles

          GitHub openshift/cluster-network-operator#2069: Use specific permissions for CNCC in GCP

          Activity

            People

              rh-ee-mold Mark Old
              abutcher@redhat.com Andrew Butcher
              Mingxia Huang Mingxia Huang
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: