Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18770

GCP cluster failed to install with cco mode Passthrough and minimum required GCP permissions

XMLWordPrintable

    • No
    • 2
    • OSDOCS Sprint 251
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      Description of problem:

      The following document lists the minimum permissions for GCP IPI.
      https://docs.openshift.com/container-platform/4.13/installing/installing_gcp/installing-gcp-account.html#minimum-required-permissions-ipi-gcp_installing-gcp-account
      
      The following is additional for cco mode passthrough.
      Required roles for using passthrough credentials mode
      - Compute Load Balancer Admin
      - IAM Role Viewer
      
      GCP cluster installation with cco mode passthrogh + the service account with all above roles/permissions, but the GCP cluster install failed.

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-09-09-164123

      How reproducible:

      always

      Steps to Reproduce:

      1.Create the service account with the required roles/permissions
      2.Configure “credentials_mode: Passthrough” in install-config
      3.Create the cluster 

      Actual results:

      cluster install failed with the following error
      jianpingshu@jshu-mac hive % oc get co cloud-credential -o yamlapiVersion: config.openshift.io/v1kind: ClusterOperator
      ......
      status:  conditions:  - lastTransitionTime: "2023-09-11T03:27:00Z"    message: All is well    reason: AsExpected    status: "True"    type: Available  - lastTransitionTime: "2023-09-11T03:28:04Z"    message: 7 of 7 credentials requests are failing to sync.    reason: CredentialsFailing    status: "True"    type: Degraded  - lastTransitionTime: "2023-09-11T03:35:19Z"    message: 0 of 7 credentials requests provisioned, 7 reporting errors.    reason: Reconciling    status: "True"    type: Progressing  - lastTransitionTime: "2023-09-11T03:27:00Z"    message: All is well    reason: AsExpected    status: "True"    type: Upgradeable
      
      Obviously CCO has no enough permissions to reconcile the CredentialsRequests.

      Expected results:

      1. Cluster install should be successful
      2. The customer document shall be updated with one new section like Required permissions for using passthrough credentials mode, the permissions shall be identified firstly.

      Additional info:

       

            jrouth@redhat.com Jeana Routh
            jshu@redhat.com Jianping Shu
            Jianping Shu Jianping Shu
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: