Skip to content

Commit 211e80d

Browse files
authored
Merge pull request #81586 from bscott-rh/OCPBUGS-38689
OCPBUGS-38689 Adding module for user provided GCP service account permissions
2 parents 574b0a8 + 4fe2f37 commit 211e80d

File tree

4 files changed

+43
-2
lines changed

4 files changed

+43
-2
lines changed

installing/installing_gcp/installing-gcp-account.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ include::modules/minimum-required-permissions-ipi-gcp.adoc[leveloffset=+2]
2525

2626
include::modules/minimum-required-permissions-ipi-gcp-xpn.adoc[leveloffset=+2]
2727

28+
include::modules/minimum-required-permissions-ipi-gcp-provided-sas.adoc[leveloffset=+2]
29+
2830
include::modules/installation-gcp-regions.adoc[leveloffset=+1]
2931

3032
== Next steps

installing/installing_gcp/installing-gcp-shared-vpc.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ The installation program provisions the rest of the required infrastructure, whi
1919
* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
2020
* You have a GCP host project which contains a shared VPC network.
2121
* You xref:../../installing/installing_gcp/installing-gcp-account.adoc#installing-gcp-account[configured a GCP project] to host the cluster. This project, known as the service project, must be attached to the host project. For more information, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#create-shared[Attaching service projects in the GCP documentation].
22-
* You have a GCP service account that has the xref:../../installing/installing_gcp/installing-gcp-account.adoc#minimum-required-permissions-ipi-gcp-xpn[required GCP permissions] in both the host and service projects.
22+
* You have a GCP service account that has the xref:../../installing/installing_gcp/installing-gcp-account.adoc#minimum-required-permissions-ipi-gcp-xpn_installing-gcp-account[required GCP permissions] in both the host and service projects.
2323

2424
include::modules/cluster-entitlements.adoc[leveloffset=+1]
2525

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * installing/installing_gcp/installing-gcp-account.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="minimum-required-permissions-ipi-gcp-provided-sas_{context}"]
7+
= Required GCP permissions for user-provided service accounts
8+
9+
When you are installing a cluster, the compute and control plane nodes require their own service accounts.
10+
By default, the installation program creates a service account for the control plane and compute nodes.
11+
The service account that the installation program uses requires the roles and permissions that are listed in the _Creating a service account in GCP_ section, as well as the `resourcemanager.projects.getIamPolicy` and `resourcemanager.projects.setIamPolicy` permissions.
12+
These permissions should be applied to the service account in the host project.
13+
If this approach does not meet the security requirements of your organization, you can provide a service account email address for the control plane or compute nodes in the `install-config.yaml` file.
14+
For more information, see the _Installation configuration parameters for GCP_ page.
15+
If you provide a service account for control plane nodes during an installation into a shared VPC, you must grant that service account the `roles/compute.networkUser` role in the host project.
16+
If you want the installation program to automatically create firewall rules when you supply the control plane service account, you must grant that service account the `roles/compute.networkAdmin` and `roles/compute.securityAdmin` roles in the host project.
17+
If you only supply the `roles/compute.networkUser` role, you must create the firewall rules manually.
18+
19+
[IMPORTANT]
20+
====
21+
The following roles are required for user-provided service accounts for control plane and compute nodes respectively.
22+
====
23+
24+
.Required roles for control plane nodes
25+
[%collapsible]
26+
====
27+
* `roles/compute.instanceAdmin`
28+
* `roles/compute.networkAdmin`
29+
* `roles/compute.securityAdmin`
30+
* `roles/storage.admin`
31+
====
32+
33+
.Required roles for compute nodes
34+
[%collapsible]
35+
====
36+
* `roles/compute.viewer`
37+
* `roles/storage.admin`
38+
* `roles/artifactregistry.reader`
39+
====

modules/minimum-required-permissions-ipi-gcp-xpn.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
// * installing/installing_gcp/installing-gcp-account.adoc
44

55
:_mod-docs-content-type: PROCEDURE
6-
[id="minimum-required-permissions-ipi-gcp-xpn"]
6+
[id="minimum-required-permissions-ipi-gcp-xpn_{context}"]
77
= Required GCP permissions for shared VPC installations
88

99
When you are installing a cluster to a link:https://cloud.google.com/vpc/docs/shared-vpc[shared VPC], you must configure the service account for both the host project and the service project. If you are not installing to a shared VPC, you can skip this section.

0 commit comments

Comments
 (0)