Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-4231

Relax the firewall create/delete permissions for non-XPN OpenShift on Google Cloud

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Relax the firewall create/delete permissions for non-XPN OpenShift on Google Cloud
    • In Progress
    • Product / Portfolio Work
    • 0% To Do, 50% In Progress, 50% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • Yellow
    • Hide

      10/22/2025 -  Yellow/Green

      The PR for the upstream changes to the cloud-provider-gcp have has been opened and is waiting for reviews. After this work is merged into the provider, openshift will need to pull it in to their fork. Then the installer can pass along the new variables via the cloud provider manifest.

      The installer work is all on schedule now and some has already merged. 

       

      10/17/2025 - Yellow/Green

      The initial PRs are open for the installer side. CAPG work was completed to remove the permission requirement for the firewall rule creation by allowing the user to specify (in the spec) that they do not wish to create firewall rules. There is upstream work required, and that is the next step.

      Show
      10/22/2025 -  Yellow/Green The PR for the upstream changes to the cloud-provider-gcp have has been opened and is waiting for reviews. After this work is merged into the provider, openshift will need to pull it in to their fork. Then the installer can pass along the new variables via the cloud provider manifest. The installer work is all on schedule now and some has already merged.    10/17/2025 - Yellow/Green The initial PRs are open for the installer side. CAPG work was completed to remove the permission requirement for the firewall rule creation by allowing the user to specify (in the spec) that they do not wish to create firewall rules. There is upstream work required, and that is the next step.
    • S
    • None

      Feature Overview (aka. Goal Summary)  

      OSD team is tracking a customer RFE where several "overly permissive" permissions granted to out-of-the-box OpenShift components are being reduced. The overall effort is tracked as part of the OSD feature: https://issues.redhat.com/browse/XCMSTRAT-1323

      One of the requirements is to reduce 'compute.firewalls.create' and 'compute.firewalls.delete' permissions required by GCP Cloud Controller Manager (CCM). This conflicts with enterprise security policies that enforce least privilege and centralize network security management. Therefore, Red Hat must relax these firewall permissions and instead provide a workflow for users to precreate the firewall rules and bring them into the OpenShift provisioning flow. 

      This is supported for XPN (Shared VPC) deployments on GCP, but not non-XPN. 

      Goals (aka. expected user outcomes)

      • Customers can deploy and manage OpenShift on Google Cloud without granting overly permissive firewall permissions, thereby gaining direct control over firewall rules to meet their least-privilege security policies.

      Requirements (aka. Acceptance Criteria):

      • OpenShift must be updated to remove the 'compute.firewalls.create' and 'compute.firewalls.delete' permissions from the GCP Cloud Controller Manager roles
      • Provide a documented and supported workflow for customers to pre-create the necessary firewall rules required for an OpenShift cluster to function correctly (day-1 install as well as day-2 scenarios)
      • The cluster provisioning flow must be able to use these pre-created firewall rules during cluster installation in both XPN (Shared VPC) and non-XPN deployments.
        • This is supported in XPN, but if certain changes are added as part of this feature, the functionality and UX should be consistent in both XPN and non-XPN deployments.
      • When rolled out, the above requirements should work for new cluster installs as well as on existing clusters. In other words, customers should be able to remove firewall permissions on an existing clusters without any issues. 
      • All of the above requirements should work for self-managed and managed flavors of OpenShift on Google Cloud, and on all supported versions of OpenShift.

       

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both both
      Classic (standalone cluster) Classic
      Hosted control planes N/A
      Multi node, Compact (three node), or Single node (SNO), or all all
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions) all supported versions of OpenShift
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      <your text here>

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      <your text here>

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      <your text here>

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

      Following permissions are required by the Installer and CCM. Ref: OSD WIF config

       

      .
.
    roles:
      - id: osd_deployer_v4.19
        kind: Role
.
.
          - compute.firewalls.create
          - compute.firewalls.delete
          - compute.firewalls.get
          - compute.firewalls.list
.
.
    roles:
      - id: gcp_cloud_controller_manager_v4.19
        kind: Role
        permissions:
.
.
          - compute.firewalls.create
          - compute.firewalls.delete
          - compute.firewalls.get
          - compute.firewalls.update
.
.

       

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      Customers should be able to consume the improved security posture delivered by this feature for existing as well as new clusters. 

              rh-ee-bbarbach Brent Barbachem
              linnguye.openshift Linh Nguyen
              None
              None
              Jianli Wei Jianli Wei
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: