New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CCO-249: Replace GCP role with explicit permissions #844
CCO-249: Replace GCP role with explicit permissions #844
Conversation
/test e2e-gcp-operator |
5f0a543
to
b7e93ae
Compare
/test e2e-gcp-operator |
b7e93ae
to
33eac27
Compare
/test e2e-gcp-operator |
e2e-gcp-operator failed because of a nil-pointer dereference in |
e2e-aws-operator failed because of an installer issue, which should be fixed by openshift/installer#6489. |
@Miciah it looks like |
Indeed. Thanks for pointing that out! I'll fix that in the next push. |
48be43f
to
677106a
Compare
/assign @gcs278 @suleymanakbas91 |
nit your PR description is a little off, probably just want to make it match your latest commit message. |
Thanks! I think I've corrected the discrepancies. |
/test e2e-gcp-operator |
e2e-gcp-operator failed because kube-apiserver reported |
All look like cluster install failures and etcd issues. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gcs278 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
disruption and deprovisioning issues |
disruption issues, DNS e2e failure, and deprovision issues. |
e2e-gcp-ovn-serial is a little suspicious with a GCP Service unavailable, but seems transient. |
Holding due to custom role leak in CI https://issues.redhat.com/browse/CCO-243. |
/remove-lifecycle rotten /hold cancel |
@Miciah: This pull request references CCO-249 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
@Miciah: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/hold Revision a236822 was retested 3 times: holding |
e2e-gcp-operator failed because |
@Miciah: Overrode contexts on behalf of Miciah: ci/prow/e2e-gcp-operator In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Tested it with 4.15.0-0.ci.test-2023-12-11-002730-ci-ln-zm90s6t-latest, created an internal and an external gcp ingress controller, two routes for the ingresscontrollers worked well. Also the dnsrecords were in good status. % oc get route % oc -n openshift-ingress get svc
%oc -n openshift-ingress-operator get dnsrecords shard-wildcard -oyaml
` |
@huangmingxia @lihongan worked well from network edge side, please take a look at the above my comment, thanks. |
/label qe-approved |
@Miciah: This pull request references CCO-249 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold cancel |
Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.
The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control
Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:
dns.changes.create
dns.resourcerecordsets.list
These methods require the following permissions:
dns.changes.create
dns.resourceRecordSets.create
dns.resourceRecordSets.update
dns.resourceRecordSets.delete
dns.resourceRecordSets.list
This PR replaces the
dns.admin
role with these permissions in the credentials request.manifests/00-ingress-credentials-request.yaml
: Replace theroles/dns.admin
predefined role with an explicit list of permissions.