Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1871

Determine and Document the explicit list of required credential permissions for GCP

    • Document the explicit list of required credential permissions for GCP
    • BU Product Work
    • Done
    • OCPSTRAT-250 - Document Cloud Provider Permissions
    • OCPSTRAT-250Document Cloud Provider Permissions
    • 0% To Do, 0% In Progress, 100% Done


      As an administrator, I would like to know the minimum list of required permissions for my credential on GCP and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also for the operation (Day 2) of OpenShift.


      Today, credential permissions are broadly scoped to seven roles with only one of them being optional:

      • Compute Admin
      • Security Admin
      • Service Account Admin
      • Service Account User
      • Storage Admin
      • DNS Administrator
      • Service Account Key Admin (optional)

      In some organizations, a number of these permissions are tightly controlled by their security teams making it difficult for some users to get the necessary credentials created with the proper set of permissions. Customers need a way to minimally scope the mandatory set of permissions for installing OpenShift (Day 1) and only what is needed for the operation of the cluster (Day 2).

      Why is this important:

      • Many of our customers have security policies in their organizations that restrict credentials to only minimal permissions that conflict with the documented list of permissions needed for OpenShift. Customers need to know the explicit list of permissions minimally needed for deploying and running OpenShift and what they're used for so they can request the right permissions. Without this information, it's blocking the adoption of OpenShift 4 in many cases.

      Lifecycle Information:

      • Core

      Previous Work:


      • Installer [both UPI & IPI Workflows]
      • Control Plane
        • Kube Controller Manager
      • Compute [Managed Identity]
      • Cloud API enabled components
        • Cloud Credential Operator
        • Machine API
        • Internal Registry
        • Ingress
      • ?

      Prioritized epics + deliverables (in scope / not in scope):

      • Document explicit list of required credential permissions for installing (Day 1) OpenShift on GCP using the IPI and UPI deployment workflows and what each of the permissions are used for
      • Document explicit list of required credential permissions for the operation (Day 2) of an OpenShift cluster on GCP and what each of the permissions are used for
      • Verify minimum list of permissions for:
        • Installing on GCP with UPI workflow
        • Installing on GCO with IPI workflow
        • (Day 2) operation of OpenShift cluster on GCP


      Estimate (XS, S, M, L, XL, XXL):

      Customers: All customers deploying OpenShift 4 to GCP

      Open Questions:

              rh-ee-arsen Arkadeep Sen
              kdube@redhat.com Katherine Dubé
              Jianli Wei Jianli Wei
              4 Vote for this issue
              20 Start watching this issue
