-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.21, 4.20.z
-
Quality / Stability / Reliability
-
False
-
-
3
-
Critical
-
None
-
None
-
None
-
None
-
OSDOCS Sprint 278, OSDOCS Sprint 279
-
2
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When installing a cluster into shared VPC (XPN) with manually created credentials, the compute.subnetworks.use permission for the machine-api operator credential must be granted to the host project (XPN installs use networks from a host project and create resources in a service project). It should be added to the docs that this specific permission
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Create manual credential for machine api operator with compute.subnetworks.use permission on the service project
2. install cluster
3. machines will fail to provision
Actual results:
machine provisions fail
Expected results:
machine provisions
Additional info:
There is not a perfect place to add these docs. https://docs.openshift.com/container-platform/4.17/installing/installing_gcp/installing-gcp-customizations.html#manually-create-iam_installing-gcp-customizations describes how to manually create permissions. It may make sense to add a warning here for XPN installs. These are the docs for configuring the installer permissions: https://docs.openshift.com/container-platform/4.18/installing/installing_gcp/installing-gcp-account.html#minimum-required-permissions-ipi-gcp-xpn_installing-gcp-account It may make sense to add a note here that if they are configuring manual credentials for the cluster to create the MAO compute.subnetworks.use permission in the host project.
- links to
(3 links to)