Skip to content

[OSDOCS#17785] Update GCP component permissions requirements #104887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maxwelldb wants to merge 1 commit into
base: main
Choose a base branch
from
+202 −2
Open

[OSDOCS#17785] Update GCP component permissions requirements #104887

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,8 @@ include::modules/cco-short-term-creds-auth-flow-gcp.adoc[leveloffset=+2]
//GCP component secret formats
include::modules/cco-short-term-creds-format-gcp.adoc[leveloffset=+2]

//GCP component secret permissions requirements (placeholder)
//include::modules/cco-short-term-creds-component-permissions-gcp.adoc[leveloffset=+2]
//GCP component secret permissions requirements
include::modules/cco-short-term-creds-component-permissions-gcp.adoc[leveloffset=+2]

//OLM-managed Operator support for authentication with GCP Workload Identity
include::modules/cco-short-term-creds-gcp-olm.adoc[leveloffset=+2]
Expand Down
200 changes: 200 additions & 0 deletions modules/cco-short-term-creds-component-permissions-gcp.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
// Module included in the following assemblies:
//
// * authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc

:_mod-docs-content-type: REFERENCE
[id="cco-short-term-creds-component-permissions-gcp_{context}"]
= GCP component secret permissions requirements

[role="_abstract"]
{product-title} components require the following permissions. These values are in the `CredentialsRequest` custom resource (CR) for each component.

[NOTE]
====
These permissions apply to all resources. Unless specified, there are no request conditions on these permissions.
====

[cols="a,a,a"]
|====
|Component |Custom resource |Required permissions for services

|Cloud Controller Manager Operator
|`openshift-gcp-ccm`
|Compute Engine

* `compute.addresses.create`
* `compute.addresses.delete`
* `compute.addresses.get`
* `compute.addresses.list`
* `compute.firewalls.create`
* `compute.firewalls.delete`
* `compute.firewalls.get`
* `compute.firewalls.update`
* `compute.forwardingRules.create`
* `compute.forwardingRules.delete`
* `compute.forwardingRules.get`
* `compute.healthChecks.create`
* `compute.healthChecks.delete`
* `compute.healthChecks.get`
* `compute.healthChecks.update`
* `compute.httpHealthChecks.create`
* `compute.httpHealthChecks.delete`
* `compute.httpHealthChecks.get`
* `compute.httpHealthChecks.update`
* `compute.instanceGroups.create`
* `compute.instanceGroups.delete`
* `compute.instanceGroups.get`
* `compute.instanceGroups.update`
* `compute.instances.get`
* `compute.instances.use`
* `compute.regionBackendServices.create`
* `compute.regionBackendServices.delete`
* `compute.regionBackendServices.get`
* `compute.regionBackendServices.update`
* `compute.targetPools.addInstance`
* `compute.targetPools.create`
* `compute.targetPools.delete`
* `compute.targetPools.get`
* `compute.targetPools.removeInstance`
* `compute.zones.list`

|Cloud Credential Operator
|`cloud-credential-operator-gcp-ro-creds`
|Identity and Access Management (IAM)

* `iam.roles.get`
* `iam.serviceAccountKeys.list`
* `iam.serviceAccounts.get`

Resource Manager

* `resourcemanager.projects.get`
* `resourcemanager.projects.getIamPolicy`

Service Usage

* `serviceusage.services.list`

|Cluster Image Registry Operator
|`openshift-image-registry-gcs`
|Cloud Storage

* `storage.buckets.create`
* `storage.buckets.createTagBinding`
* `storage.buckets.delete`
* `storage.buckets.get`
* `storage.buckets.list`
* `storage.buckets.listEffectiveTags`
* `storage.objects.create`
* `storage.objects.delete`
* `storage.objects.get`
* `storage.objects.list`

Resource Manager

* `resourcemanager.tagValueBindings.create`
* `resourcemanager.tagValues.get`
* `resourcemanager.tagValues.list`

|Cluster Ingress Operator
|`openshift-ingress-gcp`
|Cloud DNS

* `dns.changes.create`
* `dns.resourceRecordSets.create`
* `dns.resourceRecordSets.delete`
* `dns.resourceRecordSets.list`
* `dns.resourceRecordSets.update`

|Cluster Network Operator
|`openshift-cloud-network-config-controller-gcp`
|Compute Engine

* `compute.instances.get`
* `compute.instances.updateNetworkInterface`
* `compute.subnetworks.get`
* `compute.subnetworks.use`
* `compute.zoneOperations.get`

|Cluster Storage Operator
|`openshift-gcp-pd-csi-driver-operator`
|Compute Engine

* `compute.instances.attachDisk`
* `compute.instances.detachDisk`
* `compute.instances.get`

This component also requires the following {gcp-short} predefined roles:

* `roles/compute.storageAdmin`
* `roles/iam.serviceAccountUser`
* `roles/resourcemanager.tagUser`

|Machine API Operator
|`openshift-machine-api-gcp`
|Compute Engine

* `compute.acceleratorTypes.get`
* `compute.acceleratorTypes.list`
* `compute.disks.create`
* `compute.disks.createTagBinding`
* `compute.disks.setLabels`
* `compute.globalOperations.get`
* `compute.globalOperations.list`
* `compute.healthChecks.useReadOnly`
* `compute.images.get`
* `compute.images.getFromFamily`
* `compute.images.useReadOnly`
* `compute.instanceGroups.create`
* `compute.instanceGroups.delete`
* `compute.instanceGroups.get`
* `compute.instanceGroups.list`
* `compute.instanceGroups.update`
* `compute.instances.create`
* `compute.instances.createTagBinding`
* `compute.instances.delete`
* `compute.instances.get`
* `compute.instances.list`
* `compute.instances.setLabels`
* `compute.instances.setMetadata`
* `compute.instances.setServiceAccount`
* `compute.instances.setTags`
* `compute.instances.update`
* `compute.instances.use`
* `compute.machineTypes.get`
* `compute.machineTypes.list`
* `compute.projects.get`
* `compute.regionBackendServices.create`
* `compute.regionBackendServices.get`
* `compute.regionBackendServices.update`
* `compute.regions.get`
* `compute.regions.list`
* `compute.subnetworks.use`
* `compute.subnetworks.useExternalIp`
* `compute.targetPools.addInstance`
* `compute.targetPools.delete`
* `compute.targetPools.get`
* `compute.targetPools.removeInstance`
* `compute.zoneOperations.get`
* `compute.zoneOperations.list`
* `compute.zones.get`
* `compute.zones.list`

Identity and Access Management (IAM)

* `iam.serviceAccounts.actAs`
* `iam.serviceAccounts.get`
* `iam.serviceAccounts.list`

Resource Manager

* `resourcemanager.tagValues.get`
* `resourcemanager.tagValues.list`

Service Usage

* `serviceusage.quotas.get`
* `serviceusage.services.get`
* `serviceusage.services.list`

|====