-
Bug
-
Resolution: Obsolete
-
Critical
-
None
-
4.21
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
Yes
-
None
-
Proposed
-
Installer Sprint 279, Installer Sprint 280
-
2
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
installing into Shared VPC with CCO in Manual mode and using minimal permissions failed during "Destroying GCP Bootstrap Resources", because it tries to delete the <infra_id>-bootstrap-in-ssh firewall rule which doesn't exist
Version-Release number of selected component (if applicable):
4.21.0-0.nightly-multi-2025-10-27-013521
How reproducible:
Always
Steps to Reproduce:
1. "create install-config", then insert the interested settings (see [1]) 2. create the credentials using "ccoctl", please refer to OCP document https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/installing_on_gcp/installing-gcp-customizations#installing-gcp-with-short-term-creds_installing-gcp-customizations 3. enable the service account which has minimal permissions, in particular no permission to create firewall rule in the host project (see [2]) 4. "create cluster" (see [3])
Actual results:
level=info msg=Destroying the bootstrap resources... level=warning msg=Destroying GCP Bootstrap Resources level=fatal msg=error destroying bootstrap resources failed during the destroy bootstrap hook: failed to remove bootstrap firewall rules: failed to delete ci-op-s83i43jz-02beb-zj7j9-bootstrap-in-ssh firewall rule: googleapi: Error 404: The resource 'projects/XXXXXXXXXXXX-shared-vpc/global/firewalls/ci-op-s83i43jz-02beb-zj7j9-bootstrap-in-ssh' was not found, notFound
Expected results:
It should skip deleting the bootstrap-in-ssh firewall-rule, as no permission compute.firewalls.create.
Additional info: