Feature Overview (aka. Goal Summary)  

OSD team is tracking a customer RFE where several "overly permissive" permissions granted to out-of-the-box OpenShift components are being reduced. The overall effort is tracked as part of the OSD feature: https://issues.redhat.com/browse/XCMSTRAT-1323

One of the requirements is to reduce 'compute.firewalls.create' and 'compute.firewalls.delete' permissions required by GCP Cloud Controller Manager (CCM). This conflicts with enterprise security policies that enforce least privilege and centralize network security management. Therefore, Red Hat must relax these firewall permissions and instead provide a workflow for users to precreate the firewall rules and bring them into the OpenShift provisioning flow. 

This is supported for XPN (Shared VPC) deployments on GCP, but not non-XPN. 

Goals (aka. expected user outcomes)

• Customers can deploy and manage OpenShift on Google Cloud without granting overly permissive firewall permissions, thereby gaining direct control over firewall rules to meet their least-privilege security policies.

Requirements (aka. Acceptance Criteria):

• OpenShift must be updated to remove the 'compute.firewalls.create' and 'compute.firewalls.delete' permissions from the GCP Cloud Controller Manager roles
• Provide a documented and supported workflow for customers to pre-create the necessary firewall rules required for an OpenShift cluster to function correctly (day-1 install as well as day-2 scenarios)
• The cluster provisioning flow must be able to use these pre-created firewall rules during cluster installation in both XPN (Shared VPC) and non-XPN deployments.
  • This is supported in XPN, but if certain changes are added as part of this feature, the functionality and UX should be consistent in both XPN and non-XPN deployments.
• When rolled out, the above requirements should work for new cluster installs as well as on existing clusters. In other words, customers should be able to remove firewall permissions on an existing clusters without any issues. 
• All of the above requirements should work for self-managed and managed flavors of OpenShift on Google Cloud, and on all supported versions of OpenShift.

Use Cases (Optional):

Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

<your text here>

Questions to Answer (Optional):

Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

<your text here>

Out of Scope

High-level list of items that are out of scope.  Initial completion during Refinement status.

<your text here>

Background

Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

Following permissions are required by the Installer and CCM. Ref: OSD WIF config

.
.
    roles:
      - id: osd_deployer_v4.19
        kind: Role
.
.
          - compute.firewalls.create
          - compute.firewalls.delete
          - compute.firewalls.get
          - compute.firewalls.list
.
.
    roles:
      - id: gcp_cloud_controller_manager_v4.19
        kind: Role
        permissions:
.
.
          - compute.firewalls.create
          - compute.firewalls.delete
          - compute.firewalls.get
          - compute.firewalls.update
.
.

Customer Considerations

Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

Customers should be able to consume the improved security posture delivered by this feature for existing as well as new clusters.