-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
-
-
-
-
1. Proposed title of this feature request
Disable GCP Role Generation for ccoctl binary
2. What is the nature and description of the request?
CCOCTL in 4.15 now generates roles against a gcp project, Customer do not allow this and wants to use predefined roles, that they have custom defined in our GCP Tenant.
Desired Behavior:
1. Create Custom Roles for the Google Service Accounts.
2. Pass those Roles into CCOCTL
Example Patching
for CRED in "${WIF_CRED_REQ_DIR}"/*; do yq -i 'del(.spec.providerSpec.predefinedRoles[] | select(. == "roles/iam.serviceAccountUser"))' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/storage.admin")) |= "organizations/X/roles/custom.cloud.storage.provisioner")' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.admin")) |= "organizations/X/roles/custom.vm.provisioner")' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.instanceAdmin.v1")) |= "organizations/X/roles/custom.openshift.instance.v1.provisioner")' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.instanceAdmin")) |= "organizations/X/roles/custom.openshift.instance.provisioner")' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.loadBalancerAdmin")) |= "organizations/X/roles/custom.openshift.loadBalancer.provisioner")' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.storageAdmin")) |= "organizations/X/roles/custom.openshift.storage.provisioner")' "${CRED}" yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/dns.admin")) |= "organizations/X/roles/custom.cloud.dns.provisioner")' "${CRED}" done
Example Credential Request:
--- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: annotations: capability.openshift.io/name : Storage+CloudCredential include.release.openshift.io/self-managed-high-availability : "true" include.release.openshift.io/single-node-developer : "true" name: openshift-gcp-pd-csi-driver-operator namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec permissions: - compute.instances.get - compute.instances.attachDisk - compute.instances.detachDisk predefinedRoles: - roles/compute.storageAdmin - roles/iam.serviceAccountUser skipServiceCheck: true secretRef: name: gcp-pd-cloud-credentials namespace: openshift-cluster-csi-drivers serviceAccountNames: - gcp-pd-csi-driver-operator - gcp-pd-csi-driver-controller-sa
also, - roles/iam.serviceAccountUser should be not be assigned project wide.
We are patching that as well to the appropriate service accounts
gcloud iam service-accounts add-iam-policy-binding "${CONTROL_PLANE_SERVICE_ACCOUNT}" \ --member="serviceAccount:${MACHINE_API_SA_EMAIL}" \ --project="${CLUSTER_PROJECT_ID}" \ --role=roles/iam.serviceAccountUser \ --condition=None gcloud iam service-accounts add-iam-policy-binding "${WORKER_SA_EMAIL}" \ --member="serviceAccount:${MACHINE_API_SA_EMAIL}" \ --project="${CLUSTER_PROJECT_ID}" \ --role=roles/iam.serviceAccountUser \ --condition=None gcloud iam service-accounts add-iam-policy-binding "${WORKER_SA_EMAIL}" \ --member="serviceAccount:${CSI_API_SA_EMAIL}" \ --project="${CLUSTER_PROJECT_ID}" \ --role=roles/iam.serviceAccountUser \ --condition=None
3. Why does the customer need this? (List the business requirements here)
In 4.14 Customer is doing custom patching of CCOCTL to achieve this, but at this point customer need this to be natively supported.
4. List any affected packages or components.
ccoctlÂ