Goal:

As an administrator, I would like to know the minimum list of required permissions for my credential on GCP and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also for the operation (Day 2) of OpenShift.

Problem:

Today, credential permissions are broadly scoped to seven roles with only one of them being optional:

• Compute Admin
• Security Admin
• Service Account Admin
• Service Account User
• Storage Admin
• DNS Administrator
• Service Account Key Admin (optional)

In some organizations, a number of these permissions are tightly controlled by their security teams making it difficult for some users to get the necessary credentials created with the proper set of permissions. Customers need a way to minimally scope the mandatory set of permissions for installing OpenShift (Day 1) and only what is needed for the operation of the cluster (Day 2).

Why is this important:

• Many of our customers have security policies in their organizations that restrict credentials to only minimal permissions that conflict with the documented list of permissions needed for OpenShift. Customers need to know the explicit list of permissions minimally needed for deploying and running OpenShift and what they're used for so they can request the right permissions. Without this information, it's blocking the adoption of OpenShift 4 in many cases.

Lifecycle Information:

• Core

Previous Work:

• OpenShift Product Documentation: https://docs.openshift.com/container-platform/4.5/installing/installing_gcp/installing-gcp-account.html
• (WIP) Component credential request manifests: https://docs.google.com/document/d/16HM0hdywnn2mGBxSFZLwgtOiwtg_zp9MsDs9fspXOCM/edit

Dependencies:

• Installer [both UPI & IPI Workflows]
• Control Plane
  • Kube Controller Manager
• Compute [Managed Identity]
• Cloud API enabled components
  • Cloud Credential Operator
  • Machine API
  • Internal Registry
  • Ingress
• ?

Prioritized epics + deliverables (in scope / not in scope):

• Document explicit list of required credential permissions for installing (Day 1) OpenShift on GCP using the IPI and UPI deployment workflows and what each of the permissions are used for
• Document explicit list of required credential permissions for the operation (Day 2) of an OpenShift cluster on GCP and what each of the permissions are used for
• Verify minimum list of permissions for:
  • Installing on GCP with UPI workflow
  • Installing on GCO with IPI workflow
  • (Day 2) operation of OpenShift cluster on GCP

Related:

Estimate (XS, S, M, L, XL, XXL):

Customers: All customers deploying OpenShift 4 to GCP

Open Questions: