Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-408

Update GCP Credentials Request manifest of the Cluster Image Registry Operator to use new API field for requesting permissions

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Critical
    • openshift-4.16
    • None
    • None
    • None
    • Sprint 244, Sprint 245, Sprint 246

    Description

      Evaluate if any of the GCP predefined roles in the credentials request manifest of Cluster Image Registry Operator give elevated permissions. Remove any such predefined role from spec.predefinedRoles field and replace it with required permissions in the new spec.permissions field.

      The new GCP provider spec for credentials request CR is as follows:

      type GCPProviderSpec struct {
   metav1.TypeMeta `json:",inline"`
   // PredefinedRoles is the list of GCP pre-defined roles
   // that the CredentialsRequest requires.
   PredefinedRoles []string `json:"predefinedRoles"`
   // Permissions is the list of GCP permissions required to
   // create a more fine-grained custom role to satisfy the
   // CredentialsRequest.
   // When both Permissions and PredefinedRoles are specified
   // service account will have union of permissions from
   // both the fields
   Permissions []string `json:"permissions"`
   // SkipServiceCheck can be set to true to skip the check whether the requested roles or permissions
   // have the necessary services enabled
   // +optional
   SkipServiceCheck bool `json:"skipServiceCheck,omitempty"`
}

      we can use the following command to check permissions associated with a GCP predefined role

      gcloud iam roles describe <role_name>

       

      The sample output for role roleViewer is as follows. The  permission are listed in "includedPermissions" field.

      [akhilrane@localhost cloud-credential-operator]$ gcloud iam roles describe roles/iam.roleViewer
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-28850 Implement per-project custom role creation in ccoctl

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is incorporated by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-285 GCP openshift role granularity enhancement - phase 2

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-24684 CIRO should use granular roles on GCP

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-25038 CIRO should use granular roles on GCP

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link https://github.com/openshift/cluster-image-registry-operator/pull/965

          GitHub openshift/cluster-image-registry-operator#935: IR-408: request individual permissions for gcs

          GitHub openshift/cluster-image-registry-operator#967: CCO-248: Revert "Merge pull request #965 from jstuever/TRT-1368"

          GitHub openshift/cluster-image-registry-operator#972: [release-4.15] OCPBUGS-24684: Revert "Merge pull request #965 from jstuever/TRT-1368"

          Activity

            People

              fmissi Flavian Missi
              akhilrane Akhil Rane (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: