-
Epic
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
SDN: Custom Roles for GCP Workload Identity Support
-
BU Product Work
-
False
-
None
-
False
-
Red
-
To Do
-
OCPSTRAT-243 - Custom roles for GCP Workload Identity
-
OCPSTRAT-243Custom roles for GCP Workload Identity
-
0% To Do, 0% In Progress, 100% Done
-
---
-
0
-
0
Evaluate if any of the GCP predefined roles in the credentials request manifest of Cluster Network Operator give elevated permissions. Remove any such predefined role from spec.predefinedRoles field and replace it with required permissions in the new spec.permissions field.
The new GCP provider spec for credentials request CR is as follows:
type GCPProviderSpec struct { metav1.TypeMeta `json:",inline"` // PredefinedRoles is the list of GCP pre-defined roles // that the CredentialsRequest requires. PredefinedRoles []string `json:"predefinedRoles"` // Permissions is the list of GCP permissions required to // create a more fine-grained custom role to satisfy the // CredentialsRequest. // When both Permissions and PredefinedRoles are specified // service account will have union of permissions from // both the fields Permissions []string `json:"permissions"` // SkipServiceCheck can be set to true to skip the check whether the requested roles or permissions // have the necessary services enabled // +optional SkipServiceCheck bool `json:"skipServiceCheck,omitempty"` }
we can use the following command to check permissions associated with a GCP predefined role
gcloud iam roles describe <role_name>
The sample output for role roleViewer is as follows. The permission are listed in "includedPermissions" field.
[akhilrane@localhost cloud-credential-operator]$ gcloud iam roles describe roles/iam.roleViewer
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA
title: Role Viewer
- is blocked by
-
OCPBUGS-23178 cloud-credential-operator cannot add new grants to deleted gcp role
- Verified
-
OCPBUGS-24613 GCP error syncing creds in mint-mode, can't create a role_id which has been marked for deletion
- Closed
-
OCPBUGS-28850 Implement per-project custom role creation in ccoctl
- Closed
- is incorporated by
-
CCO-285 GCP openshift role granularity enhancement - phase 2
- Closed
- is related to
-
CCO-285 GCP openshift role granularity enhancement - phase 2
- Closed