Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28850

Implement per-project custom role creation in ccoctl

XMLWordPrintable

    • Low
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Cloud Credential Operator utility (`ccoctl`) created custom GCP roles at the cluster level, so each cluster contributed to the quota limit on the number of allowed custom roles. Because of GCP deletion policies, deleted custom roles continue to contribute to the quota limit for many days after they are deleted. With this release, custom roles are added at the project level instead of the cluster level to reduce the total number of custom roles created. Additionally, an option to clean up custom roles is now available when deleting the GCP resources that the `ccoctl` utility creates during installation. These changes can help avoid reaching the quota limit on the number of allowed custom roles. (link:https://issues.redhat.com/browse/OCPBUGS-28850[*OCPBUGS-28850*])
      Show
      * Previously, the Cloud Credential Operator utility (`ccoctl`) created custom GCP roles at the cluster level, so each cluster contributed to the quota limit on the number of allowed custom roles. Because of GCP deletion policies, deleted custom roles continue to contribute to the quota limit for many days after they are deleted. With this release, custom roles are added at the project level instead of the cluster level to reduce the total number of custom roles created. Additionally, an option to clean up custom roles is now available when deleting the GCP resources that the `ccoctl` utility creates during installation. These changes can help avoid reaching the quota limit on the number of allowed custom roles. (link: https://issues.redhat.com/browse/OCPBUGS-28850 [* OCPBUGS-28850 *])
    • Bug Fix
    • Done

      Rather than create custom roles per-cluster, as is currently implemented for GCP, ccoctl should create custom roles per-project due to custom role deletion policies. When a custom role is deleted in GCP it continues to exist and contributes to quota for 7 days. Custom roles are not permanently deleted for up to 14 days after deletion ref: https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role.

      Deletion should ignore these per-project custom roles by default and provide an optional flag to delete them.

      Since the custom roles must be created per-project, deltas in permissions must be additive. We can't remove permissions with these restrictions since previous versions may rely on those custom role permissions.

      Post a warning/info message regarding the permission delta so that users are aware that there are extra permissions and they can clean them up possibly if they're sure they aren't being utilized.

              rh-ee-mold Mark Old
              abutcher@redhat.com Andrew Butcher
              Mingxia Huang Mingxia Huang
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: