Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41921

[DOC] Update the roles required by the CCO in GCP

XMLWordPrintable

    • Important
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Upgrading an OCP cluster running on OCP to 4.14, the CCO fails with Detected some unallowed permissions.

       

      Version-Release number of selected component (if applicable):

      4.14

       

      Actual results:

      The documented permissions are in [1], but they are not complete at least for 4.14+

       

      Expected results:

      Update the documentation with the missing permissions.

       

      Additional info:

      The roles required by the `credentialsrequest` in 4.14 cluster are:

$ oc get credentialsrequest -n openshift-cloud-credential-operator -o yaml | grep "\- roles" | sort -n | uniq -c
      2       - roles/compute.admin
      2       - roles/compute.instanceAdmin
      1       - roles/compute.loadBalancerAdmin
      1       - roles/compute.storageAdmin
      1       - roles/dns.admin
      1       - roles/iam.roleViewer
      1       - roles/iam.securityReviewer
      3       - roles/iam.serviceAccountUser
      1       - roles/resourcemanager.tagUser
      1       - roles/storage.admin

There are several of those roles missing in the documentation.

       

      [1] https://docs.openshift.com/container-platform/4.14/installing/installing_gcp/installing-gcp-account.html#installation-gcp-permissions_installing-gcp-account

              jrouth@redhat.com Jeana Routh
              oarribas@redhat.com Oscar Arribas Arribas
              Jianping Shu Jianping Shu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: