Loading...

XML

Word

Printable

Type: Feature
Resolution: Done
Priority: Critical
Fix Version/s: openshift-4.15
Affects Version/s: None
Component/s: CCO, Install
Labels:
- 4.15-candidate
- GCP
- cco

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Parent Link:
OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
Hierarchy Progress:
100
Hierarchy Progress Bar:

100% 100%
Target Version:

openshift-4.15

RICE Score:
0
Risk Score:
0

Discussion Needed:

Program Call

SFDC Cases Links:
SFDC Cases Counter:

PX Priority Data:
PX Technical Impact:
PX Impact Range:
PX Review Complete:

Intelligence Requested:
Market:

BU Priority Overview

Create custom roles for GCP with minimal set of required permissions.

Goals

Enable customers to better scope credential permissions and create custom roles on GCP that only include the minimum subset of what is needed for OpenShift.

State of the Business

Some of the service accounts that CCO creates, e.g. service account with role roles/iam.serviceAccountUser provides elevated permissions that are not required/used by the requesting OpenShift components. This is because we use predefined roles for GCP that come with bunch of additional permissions. The goal is to create custom roles with only the required permissions.

Execution Plans

TBD

is depended on by

HIVE-2262 [OSD-GCP]: Hive changes for supporting GCP Workload Identity Federation (WIF)

Closed

OCPSTRAT-469 Install and upgrade OpenShift with GCP Workload Identity

Closed

is related to

OCPBUGS-28231 Guard mint-mode GCP 4.14 to 4.15 on sufficient creds

Closed

is triggering

OCPSTRAT-922 CloudCredentialOperator-based flow for OLM-managed operators and GCP WIF

relates to

CORS-1871 Determine and Document the explicit list of required credential permissions for GCP

Release Pending

OCPBUGS-23178 cloud-credential-operator cannot add new grants to deleted gcp role

Verified

OCPBUGS-24613 GCP error syncing creds in mint-mode, can't create a role_id which has been marked for deletion

Closed

OCPBUGS-24684 CIRO should use granular roles on GCP

Closed

OCPBUGS-25655 [gcp] perms errors

Closed

OCPSTRAT-250 Document Cloud Provider Permissions

Closed

mentioned on

Merge request - [GCP][4.15-4.16] deal with spec.providerSpec.permissions in credentials requests

(5 relates to, 1 mentioned on)

Assignee:: Ju Lim

Reporter:: Ju Lim

Contributors:: Bill Dettelback, Daniel Messer, Daniel Odvarka (Inactive), Deepthi Dharwar, Flavian Missi, Gregory Charot, Jeremiah Stuever, Joel Speed, Ju Lim, Marc Curry, Miciah Masters, Patrick Dillon, Patryk Diak, Roman Bednar, Scott Dodson, Tomas Smetana

Developer:: Jeremiah Stuever

QA Contact:: Yu Li (李宇)

Doc Contact:: Jeana Routh

Architect:: Scott Dodson

Product Manager:: Ju Lim

Product Experience Engineering Contact:: Eric Rich

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2023/02/17 9:24 PM

Updated:: 2024/04/29 4:56 PM

Resolved:: 2024/01/24 7:14 PM

Details

Description

BU Priority Overview

Goals

State of the Business

Execution Plans

Attachments

Issue Links

Activity

People

Dates