Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-1726

Update GCP Credentials Request manifest of the Cluster CAPI Operator to use new API field for requesting permissions

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Normal
    • openshift-4.15
    • None
    • 3
    • True
    • Leak of custom roles to CI.
    • False
    • OCPSTRAT-243 - Custom roles for GCP Workload Identity
    • CLOUD Ready for Development, CLOUD Sprint 228

    Description

      Evaluate if any of the GCP predefined roles in the credentials request manifest of Cluster CAPI Operator give elevated permissions. Remove any such predefined role from spec.predefinedRoles field and replace it with required permissions in the new spec.permissions field.

      The new GCP provider spec for credentials request CR is as follows:

      type GCPProviderSpec struct {
         metav1.TypeMeta `json:",inline"`
         // PredefinedRoles is the list of GCP pre-defined roles
         // that the CredentialsRequest requires.
         PredefinedRoles []string `json:"predefinedRoles"`
         // Permissions is the list of GCP permissions required to
         // create a more fine-grained custom role to satisfy the
         // CredentialsRequest.
         // When both Permissions and PredefinedRoles are specified
         // service account will have union of permissions from
         // both the fields
         Permissions []string `json:"permissions"`
         // SkipServiceCheck can be set to true to skip the check whether the requested roles or permissions
         // have the necessary services enabled
         // +optional
         SkipServiceCheck bool `json:"skipServiceCheck,omitempty"`
      } 

      we can use the following command to check permissions associated with a GCP predefined role

      gcloud iam roles describe <role_name>

       

      The sample output for role roleViewer is as follows. The  permission are listed in "includedPermissions" field.

      [akhilrane@localhost cloud-credential-operator]$ gcloud iam roles describe roles/iam.roleViewer
      description: Read access to all custom roles in the project.
      etag: AA==
      includedPermissions:
      - iam.roles.get
      - iam.roles.list
      - resourcemanager.projects.get
      - resourcemanager.projects.getIamPolicy
      name: roles/iam.roleViewer
      stage: GA
      title: Role Viewer

      Attachments

        Issue Links

          Activity

            People

              joelspeed Joel Speed
              akhilrane Akhil Rane (Inactive)
              Milind Yadav Milind Yadav
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: