Loading...

XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
- csi
- gcp

Epic Name:
Remove serviceAccountUser role from GCP PD CSI
Blocked:
True
Blocked Reason:

Hide
Need to have Google confirmation that we can either remove the serviceAccountUser role or get another set of permissions to replace it.
https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700

Show
Need to have Google confirmation that we can either remove the serviceAccountUser role or get another set of permissions to replace it. https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Hierarchy Progress Bar:

100% To Do, 0% In Progress, 0% Done

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Epic Goal*

The creation of an Openshift Dedicated cluster on GCP today results in what Google's Security Health Analytics service considers to be "common security vulnerabilities".

Successful cluster provisioning requires an IAM service account with a broad set of administrative permissions. Included in this set of permissions are the roles "Service Account Admin" and "Service Account User", setting off the security health detectors SERVICE_ACCOUNT_ROLE_SEPARATION and OVER_PRIVILEGED_SERVICE_ACCOUNT_USER.

The GCP PD CSI driver upstream documentation clearly states that the The driver requires a service account that has the iam.serviceAccountUser role.

https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/blob/master/docs/kubernetes/user-guides/driver-install.md?plain=1#L17-L21

We opened an upstream issue to confirm if this role is indeed required.

https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700

Why is this important? (mandatory)

Avoid Google security scan alerts

Scenarios (mandatory)

Provide details for user scenarios including actions to be performed, platform specifications, and user personas.

Dependencies (internal and external) (mandatory)

Official driver documentation requires the iam.serviceAccountUser role. Google needs to either find a way to remove that role or set more granular permissions.

Contributing Teams(and contacts) (mandatory)

Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

Development -
Documentation -
QE -
PX -
Others -

Acceptance Criteria (optional)

Provide some (testable) examples of how we will know if we have achieved the epic goal.

Drawbacks or Risk (optional)

I would be super risky to try to find the set of permission ourselves, this could introduce regressions. We should instead keep what is recommended upstream and have google change their roles requirements.

Done - Checklist (mandatory)

The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

CI Testing - Basic e2e automationTests are merged and completing successfully
Documentation - Content development is complete.
QE - Test scenarios are written and executed successfully.
Technical Enablement - Slides are complete (if requested by PLM)
Engineering Stories Merged
All associated work items with the Epic are closed
Epic status should be “Release Pending”

Assignee:: Unassigned

Reporter:: Gregory Charot

QA Contact:: Wei Duan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/06/07 9:11 AM

Updated:: 2024/08/13 2:18 PM

Details

Description

Attachments

Activity

People

Dates