-
Epic
-
Resolution: Done
-
Major
-
None
-
None
-
Remove "iam.serviceAccounts.actAs" permission as a requirement for GCP deployments
-
BU Product Work
-
False
-
None
-
False
-
Not Selected
-
Done
-
OCPSTRAT-1294 - Pre-creation Service Accounts used in GCP deployments
-
-
0% To Do, 0% In Progress, 100% Done
As part of CORS-3267, the installer team confirmed
the "iam.serviceAccounts.actAs" permission (i.e. ** Service Account User role) is a requirement that OpenShift Installer CANNOT remove from the service account that needs to be passed to the Installer. This is because, the Installer needs to attach service accounts to the OCP Nodes created at install time, and for that purpose this permission is required
However, OSD team would like to request limiting the use of this "iam.serviceAccounts.actAs" permission as it gets flagged by the Google Cloud Security Command Center security scan against the OSD-GCP deployment under these vulnerabilities. For more detail on these vulnerabilities and their remediation, please refer the respective links
CCO-285 support for creating a custom role, is just a workaround to get rid of the GCP security scan alert but the "iam.serviceAccounts.actAs" and other permissions are still there via a custom role.
Hence, there needs a better solution for limiting the use of the "iam.serviceAccounts.actAs" ** permission i.e. Service Account User" role.
- relates to
-
OCPSTRAT-1294 Pre-creation Service Accounts used in GCP deployments
-
- Closed
-
