-
Bug
-
Resolution: Done-Errata
-
Major
-
4.15, 4.16
Description of problem
The Ingress Operator should use granular roles in its CredentialsRequest per CCO-249. A change to use granular roles merged after the release-4.15 branch cut. This change needs to be backported for 4.15.0.
Version-Release number of selected component (if applicable)
4.15.0
How reproducible
Easily.
Steps to Reproduce
1. Launch an OCP 4.15 cluster on GCP.
2. Check the ingress operator's CredentialsRequest: oc get -n openshift-cloud-credential-operator credentialsrequests/openshift-ingress-gcp -o yaml
Actual results
The CredentialsRequest uses a predefined role:
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: GCPProviderSpec
predefinedRoles:
- roles/dns.admin
Expected results
The CredentialsRequest should specify the individual permissions that the operator requires:
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: GCPProviderSpec
permissions:
- dns.changes.create
- dns.resourceRecordSets.create
- dns.resourceRecordSets.update
- dns.resourceRecordSets.delete
- dns.resourceRecordSets.list
Additional info
https://github.com/openshift/cluster-ingress-operator/pull/844 merged in the master branch for 4.16 and needs to be backported to the release-4.15 branch.
- clones
-
-
- Closed
-
- depends on
-
-
- Closed
-
- relates to
-
CCO-249 Update GCP Credentials Request manifest of the Cluster Ingress Operator to use new API field for requesting permissions
-
- Closed
-
- links to
-
RHSA-2023:7198
OpenShift Container Platform 4.15 security update