Critical Description of problem:
The following document lists the minimum permissions for GCP IPI. https://docs.openshift.com/container-platform/4.13/installing/installing_gcp/installing-gcp-account.html#minimum-required-permissions-ipi-gcp_installing-gcp-account The following is additional for cco mode passthrough. Required roles for using passthrough credentials mode - Compute Load Balancer Admin - IAM Role Viewer GCP cluster installation with cco mode passthrogh + the service account with all above roles/permissions, but the GCP cluster install failed.
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-09-09-164123
How reproducible:
always
Steps to Reproduce:
1.Create the service account with the required roles/permissions 2.Configure “credentials_mode: Passthrough” in install-config 3.Create the cluster
Actual results:
cluster install failed with the following error jianpingshu@jshu-mac hive % oc get co cloud-credential -o yamlapiVersion: config.openshift.io/v1kind: ClusterOperator ...... status: conditions: - lastTransitionTime: "2023-09-11T03:27:00Z" message: All is well reason: AsExpected status: "True" type: Available - lastTransitionTime: "2023-09-11T03:28:04Z" message: 7 of 7 credentials requests are failing to sync. reason: CredentialsFailing status: "True" type: Degraded - lastTransitionTime: "2023-09-11T03:35:19Z" message: 0 of 7 credentials requests provisioned, 7 reporting errors. reason: Reconciling status: "True" type: Progressing - lastTransitionTime: "2023-09-11T03:27:00Z" message: All is well reason: AsExpected status: "True" type: Upgradeable Obviously CCO has no enough permissions to reconcile the CredentialsRequests.
Expected results:
1. Cluster install should be successful 2. The customer document shall be updated with one new section like Required permissions for using passthrough credentials mode, the permissions shall be identified firstly.
Additional info:
- blocks
-
OCPBUGS-17814 Revise Permissions for GCP Shared VPC Installs
-
- Closed
-
- links to