-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
Feature Overview (aka. Goal Summary)
WIF-based installation automatically creates various GCP Service Accounts ↔ Kubernetes ServiceAccount pairs for the operators and steps involved in installation and core cluster setup. These identities, their permissions/roles, and their purposes are currently not documented. Enterprise customers require this documentation for security review and compliance sign‑off.
Goals (aka. expected user outcomes)
- Teams can review a complete, authoritative list of GCP Service Accounts and corresponding Kubernetes ServiceAccounts created/used by WIF-based installation
- For each identity, users can see: purpose, creation source (installer/operator), scopes/roles/permissions, and lifecycle (creation/update/deletion)
- Guidance to safely customize, audit, and monitor these identities
Requirements (aka. Acceptance Criteria)
Documentation page(s) added to official docs describing:
- List of GCP Service Accounts and Kubernetes ServiceAccounts used/created during WIF-based install and initial cluster bring‑up
- For each pair: which component uses it, what operations it performs, and exact GCP roles/permissions granted
Out of Scope
- Non‑GCP clouds (AWS, Azure) identities
- Non‑WIF installation methods
Background
- Enterprises must document service identities and permissions for security audits. Current docs do not enumerate the GCP ServiceAccounts/Kubernetes ServiceAccounts and their roles used by WIF-based installation and core operators.
Customer Considerations
- Regulated environments require least‑privilege and clear auditability
- Some customers pre‑provision identities; provide mapping/override guidance if supported
Documentation Considerations
- New topic under GCP installation and security hardening
- Cross‑link to WIF setup, installer pre‑reqs, and operator permission references
Interoperability Considerations
- Applies to OCP on GCP with WIF; ensure compatibility notes for ROSA/ARO/OSD as N/A or links to equivalents if any
