Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-3448

Limit use of "iam.serviceAccounts.actAs" permission (Service Account User role) required by Installer

XMLWordPrintable

    • Remove "iam.serviceAccounts.actAs" permission as a requirement for GCP deployments
    • BU Product Work
    • False
    • None
    • False
    • Not Selected
    • Done
    • OCPSTRAT-1294 - Pre-creation Service Accounts used in GCP deployments
    • OCPSTRAT-1294Pre-creation Service Accounts used in GCP deployments
    • 0% To Do, 0% In Progress, 100% Done

      As part of CORS-3267, the installer team confirmed

      the "iam.serviceAccounts.actAs" permission (i.e. ** Service Account User role) is a requirement that OpenShift Installer CANNOT remove from the service account that needs to be passed to the Installer. This is because, the Installer needs to attach service accounts to the OCP Nodes created at install time, and for that purpose this permission is required

      However, OSD team would like to request limiting the use of this "iam.serviceAccounts.actAs" permission as it gets flagged by the Google Cloud Security Command Center security scan against the OSD-GCP deployment under these vulnerabilities. For more detail on these vulnerabilities and their remediation, please refer the respective links

      CCO-285 support for creating a custom role, is just a workaround to get rid of the GCP security scan alert but the  "iam.serviceAccounts.actAs" and other permissions are still there via a custom role. 

      Hence, there needs a better solution for limiting the use of the "iam.serviceAccounts.actAs" ** permission i.e. Service Account User" role. 

       

              padillon Patrick Dillon
              rh-ee-smulkutk Shreyans Mulkutkar
              Marcos Entenza Garcia Marcos Entenza Garcia
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: