-
Feature
-
Resolution: Done
-
Critical
-
None
As an Openshift cluster deployer, I would like to pre-create the service accounts used by the installer in order to minimize the permissions of the service account that the installer will use.
The creation of an Openshift Dedicated cluster on GCP today results in what Google's Security Health Analytics service considers to be "common security vulnerabilities". Successful cluster provisioning requires an IAM service account with a broad set of administrative permissions. Included in this set of permissions are the roles "Service Account Admin" and "Service Account User", setting off the security health detectors SERVICE_ACCOUNT_ROLE_SEPARATION and OVER_PRIVILEGED_SERVICE_ACCOUNT_USER.
Based on the findings of the spikes completed by the CORS and OCM teams, enhancing the installer to support the pre-creation of service accounts used by the installation will remove the need for the installation service account from having the "Service Account Admin" and "Service Account Key Admin" roles.
Considerations
There will be no backport provided.
- clones
-
CORS-3445 Support for pre-creation of Service Accounts used in GCP deployments
- Closed
- incorporates
-
CORS-3267 Spike on removing or limiting the iam.serviceAccounts.actAs requirement on GCP
- Closed
- is incorporated by
-
CORS-3568 CAPG - allow pre-created ServiceAccounts to be used
- Closed
-
CORS-3567 Determine if GCP nodes require ServiceAccounts
- Closed
- is related to
-
CORS-3448 Limit use of "iam.serviceAccounts.actAs" permission (Service Account User role) required by Installer
- Closed
- relates to
-
RFE-5379 Create OCP cluster over GCP with custom IAM roles
- Accepted
- links to