Feature Overview (aka. Goal Summary)  

Reduce GCP IAM permissions required for operator-gcp-pd-csi-driver-operator when deployed with Google WIF. 

Goals (aka. expected user outcomes)

operator-gcp-pd-csi-driver-operator service account has the iam.serviceAccountUser role. This allows this Service Account to impersonate any service account inside of the GCP project, which is a security risk.

Initial idea would be to replace it with iam.serviceAccounts.actAs

This improves security by limiting overly permissive permission. Unblock OCP adoption for customers who have strict security rules.

Since we don't own the PD CSI driver not have merge approval, the goal of this epic is to convince the GCP PD CSI team to approve the necessary changes.

Requirements (aka. Acceptance Criteria):

Replace iam.serviceAccountUser role with something less permissive and ensure there is no regression whatsoever.

Change must be approved upstream beforehand we don't want to maintain a forked version.

Use Cases (Optional):

As an OCP on GCP admin using WIF, I want to assign less permissive permissions to the GCP CSI driver

Questions to Answer (Optional):

How to convince Google to approve the change?

Can we get help from OSD team?

Do we document GCP permissions for OCP somewhere?

Out of Scope

limited to PD CSI

Background

There has been feedback that current permissions can block OCP on GCP customer's adoption

Customer Considerations

Will unblock customers that are strict on permissions assigned to OCP components. There should be no regression.

Documentation Considerations

Need to verify if we document GCP permissions somewhere. If so update them.

Interoperability Considerations

GCP only