Feature Overview

Document the explicit list of required permissions for installing and running OpenShift on supported cloud providers

Goals

Allows customers to better scope credential permissions and create custom roles that only include the minimum subset of what is needed for OpenShift.

Requirements

• Minimal set of permissions needed for installing (both for IPI and UPI workflows) OpenShift to public cloud providers
• Minimal set of permissions needed for the operation (Day 2) of OpenShift clusters running on public cloud providers

(Optional) Use Cases

• As an administrator, I would like to know the minimum list of required Service Principal permissions for OpenShift on Microsoft Azure and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also for the operation (Day 2) of OpenShift.
• As an administrator, I would like to know the minimum list of required permissions for my credential on GCP and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also for the operation (Day 2) of OpenShift.

Out of Scope

Background, and strategic fit

Assumptions

Customer Considerations

• Today, credential permissions are broadly scoped to high-level roles that often conflict with security policies in their organization. Customers needs to know the explicit list of permissions for deploying OpenShift to the public cloud along with an explanation of what those permissions are used for.

Documentation Considerations

Questions to be addressed:

• What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)? For users/admins
• Does this feature have doc impact?  Update to the existing public cloud user account configuration sections in the product documentation.
• What concepts do customers need to understand to be successful in [action]? Following the documented minimum requirements for configuring the permissions for their user credentials for the successful installation and operation of their OpenShift clusters.
• How do we expect customers will use the feature? For what purpose(s)? When setting up their user accounts needed to deploy and run OpenShift in the public cloud.
• What reference material might a customer want/need to complete [action]? Explicit list of required permissions for each cloud provider.
• Is there source material that can be used as reference for the Technical Writer in writing the content? Permissions requirements needs to be provided by each OpenShift component team that relies on cloud credential access. The technical writer would be responsible for taking this information and incorporating it into the product documentation.