Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-3445

Support for pre-creation of Service Accounts used in GCP deployments

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None
    • Support for pre-creation of Service Accounts used in GCP deployments
    • BU Product Work
    • False
    • None
    • False
    • Hide
      By pre-creating the service accounts that the cluster will use, the installer can deploy OCP clusters versions 4.14 and later on the GCP platform with an installation service account that does not have the "Service Account Admin" role and "Service Account Key Admin" role.
      Show
      By pre-creating the service accounts that the cluster will use, the installer can deploy OCP clusters versions 4.14 and later on the GCP platform with an installation service account that does not have the "Service Account Admin" role and "Service Account Key Admin" role.
    • Not Selected
    • Done
    • OCPSTRAT-1294 - Pre-creation Service Accounts used in GCP deployments
    • OCPSTRAT-1294Pre-creation Service Accounts used in GCP deployments
    • 0% To Do, 0% In Progress, 100% Done

      As an Openshift cluster deployer, I would like to pre-create the service accounts used by the installer in order to minimize the permissions of the service account that the installer will use.

       

      The creation of an Openshift Dedicated cluster on GCP today results in what Google's Security Health Analytics service considers to be "common security vulnerabilities". Successful cluster provisioning requires an IAM service account with a broad set of administrative permissions. Included in this set of permissions are the roles "Service Account Admin" and "Service Account User", setting off the security health detectors SERVICE_ACCOUNT_ROLE_SEPARATION and OVER_PRIVILEGED_SERVICE_ACCOUNT_USER.

      Based on the findings of the spikes completed by the CORS and OCM teams, enhancing the installer to support the pre-creation of service accounts used by the installation will remove the need for the installation service account from having the "Service Account Admin" and "Service Account Key Admin" roles. 

       

       

              Unassigned Unassigned
              rcampos2020 Renan Campos
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: