-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Support for pre-creation of Service Accounts used in GCP deployments
-
False
-
None
-
False
-
-
Not Selected
-
To Do
-
OCPSTRAT-1294 - Pre-creation Service Accounts used in GCP deployments
-
-
100% To Do, 0% In Progress, 0% Done
As an Openshift cluster deployer, I would like to pre-create the service accounts used by the installer in order to minimize the permissions of the service account that the installer will use.
The creation of an Openshift Dedicated cluster on GCP today results in what Google's Security Health Analytics service considers to be "common security vulnerabilities". Successful cluster provisioning requires an IAM service account with a broad set of administrative permissions. Included in this set of permissions are the roles "Service Account Admin" and "Service Account User", setting off the security health detectors SERVICE_ACCOUNT_ROLE_SEPARATION and OVER_PRIVILEGED_SERVICE_ACCOUNT_USER.
Based on the findings of the spikes completed by the CORS and OCM teams, enhancing the installer to support the pre-creation of service accounts used by the installation will remove the need for the installation service account from having the "Service Account Admin" and "Service Account Key Admin" roles.
- incorporates
-
CORS-3267 Spike on removing or limiting the iam.serviceAccounts.actAs requirement on GCP
-
- Closed
-
- is cloned by
-
OCPSTRAT-1294 Pre-creation Service Accounts used in GCP deployments
-
- Refinement
-