1. Proposed title of this feature request

[OSD-GCP] Set image-registry bucket uniform_bucket_level_access to "True"

2. What is the nature and description of the request?

Customers on GCP with the Organization Policy Constraint "constraints/storage.uniformBucketLevelAccess" should be able to use the cluster's image registry. Currently (on OSD-GCP 4.18.14), the image-registry bucket defaults public access and fine-grained access control with object-level ACLs.

Ideally, private access with uniform access control should be the default for new image registry buckets. If that's not viable, it should be possible for this to be user-configurable at OSD-GCP install time.

This is the same customer need as RFE-1516 , but that ticket focused on the bootstrap-ignition bucket provisioned by the installer itself.

3. Why does the customer need this? (List the business requirements here)

It is common for customers to enable "constraints/storage.uniformBucketLevelAccess" so that they can enforce and audit that bucket contents are only accessible via appropriate IAM policies, rather than leaving it up to the processes writing the individual objects to do the right thing to prevent accidental data exposure. Currently, those customers will experience a failure when the image-registry bucket is created.

See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

and

https://cloud.google.com/storage/docs/uniform-bucket-level-access

4. List any affected packages or components.

• Image Registry Operator
• OCM provisioning of OSD-GCP