-
Feature
-
Resolution: Done
-
Critical
-
None
-
Strategic Product Work
-
False
-
-
False
-
OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
-
0% To Do, 0% In Progress, 100% Done
-
0
-
Program Call
BU Priority Overview
Create custom roles for GCP with minimal set of required permissions.
Goals
Enable customers to better scope credential permissions and create custom roles on GCP that only include the minimum subset of what is needed for OpenShift.
State of the Business
Some of the service accounts that CCO creates, e.g. service account with role roles/iam.serviceAccountUser provides elevated permissions that are not required/used by the requesting OpenShift components. This is because we use predefined roles for GCP that come with bunch of additional permissions. The goal is to create custom roles with only the required permissions.
Execution Plans
TBD
- is depended on by
-
HIVE-2262 [OSD-GCP]: Hive changes for supporting GCP Workload Identity Federation (WIF)
- Closed
-
OCPSTRAT-469 Install and upgrade OpenShift with GCP Workload Identity
- Closed
- is related to
-
OCPBUGS-28231 Guard mint-mode GCP 4.14 to 4.15 on sufficient creds
- Closed
- is triggering
-
OCPSTRAT-922 CloudCredentialOperator-based flow for OLM-managed operators and GCP WIF
- Closed
- relates to
-
CORS-1871 Determine and Document the explicit list of required credential permissions for GCP
- Release Pending
-
OCPBUGS-23178 cloud-credential-operator cannot add new grants to deleted gcp role
- Closed
-
OCPBUGS-24613 GCP error syncing creds in mint-mode, can't create a role_id which has been marked for deletion
- Closed
-
OCPBUGS-24684 CIRO should use granular roles on GCP
- Closed
-
OCPBUGS-25655 [gcp] perms errors
- Closed
-
OCPSTRAT-250 Document Cloud Provider Permissions
- Closed
- links to
- mentioned on