OCPBUGS#59417 GCP Cloud Organization Policy and VPC-SC Requirements for OpenShift Installer #102568
Conversation
openshift-ci
bot
added
the
size/M
|
🤖 Tue Nov 25 15:41:56 - Prow CI generated the docs preview: |
…or OpenShift Installer
bscott-rh
force-pushed
the
OCPBUGS-59417
branch
from
cf2f168 to
1e4698d
Compare
|
@bscott-rh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| roles: | ||
| - <role_name> | ||
| resources: | ||
| - projects/902460926346 |
There was a problem hiding this comment.
@lnguyen1401 Would you please confirm if the project number "902460926346" is correct, and corresponds to the project "rhcos-cloud"? I'm asking because I got below instead, thanks in advance!
$ gcloud projects describe rhcos-cloud
createTime: '2019-07-19T17:39:10.423Z'
labels:
cost-center: '706'
cost_category: dev
service-owner: amccrae
service-phase: dev
lifecycleState: ACTIVE
name: RHCOS cloud
parent:
id: '710785325000'
type: folder
projectId: rhcos-cloud
projectNumber: '7991419043'
$
| where: | ||
| + | ||
| <role_name>:: Specifies the IAM role that you created for the installation program. | ||
| <service_account>:: Specifies the name of the installation program service account. No newline at end of file |
There was a problem hiding this comment.
@lnguyen1401 Do you know which role or permissions are required?
@bscott-rh Per Google doc, "egressFrom.identityType" should be ANY_IDENTITY, ANY_USER_ACCOUNT, or ANY_SERVICE_ACCOUNT instead. And "egressFrom.identities" can be used to list the service accounts and etc.
| allowedValues: | ||
| - projects/rhcos-cloud | ||
| ---- | ||
| . Modify the `iam.allowedPolicyMemberDomains` constraint to allow the service account that the installation program uses to authenticate with {gcp-short} and create storage. |
There was a problem hiding this comment.
@lnguyen1401 @bscott-rh How about showing a sample constraint for such modification?
There was a problem hiding this comment.
I wonder if "iam.managed.allowedPolicyMembers" is a better choice. WDYT?
4 participants
Version(s):
4.19+
Issue:
https://issues.redhat.com/browse/OCPBUGS-59417
Link to docs preview:
https://102568--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-account.html#installation-gcp-organization-policies_installing-gcp-account
QE review: