Skip to content

OSDOCS-16429 Reducing GCP permissions #100149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2025
Merged

OSDOCS-16429 Reducing GCP permissions #100149

merged 1 commit into from
Oct 17, 2025

Conversation

@bscott-rh
Copy link
Contributor

@bscott-rh bscott-rh commented Oct 7, 2025
edited
Loading

@bscott-rh bscott-rh added this to the Planned for 4.20 GA milestone Oct 7, 2025
@openshift-ci openshift-ci bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Oct 7, 2025
@ocpdocs-previewbot
Copy link

ocpdocs-previewbot commented Oct 7, 2025
edited
Loading

🤖 Fri Oct 17 15:05:31 - Prow CI generated the docs preview:

https://100149--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-account.html

jianli-wei
jianli-wei suggested changes Oct 14, 2025
View reviewed changes
jianli-wei
jianli-wei reviewed Oct 16, 2025
View reviewed changes
jianli-wei
jianli-wei reviewed Oct 17, 2025
View reviewed changes
modules/minimum-required-permissions-ipi-gcp.adoc Outdated
* `iam.serviceAccountKeys.get`
* `iam.serviceAccountKeys.list`
* `iam.serviceAccounts.actAs`
** This permission can be limited to act as the control plane and compute service accounts. Alternatively, you may grant the service account that the installation program creates the `iam.serviceAccountUser` role on the control plane and compute service accounts.
Copy link

@jianli-wei jianli-wei Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess "you may grant the service account that the installation program creates" should be "you may grant the service account that the installation program uses", is it?

@bscott-rh bscott-rh added the merge-review-needed Signifies that the merge review team needs to review this PR label Oct 17, 2025
@mburke5678 mburke5678 added the merge-review-in-progress Signifies that the merge review team is reviewing this PR label Oct 17, 2025
mburke5678
mburke5678 reviewed Oct 17, 2025
View reviewed changes
modules/minimum-required-permissions-ipi-gcp-xpn.adoc Outdated
====
If you do not supply a service account for control plane nodes in the `install-config.yaml` file, please grant the below permissions to the service account in the host project. If you do not supply a service account for compute nodes in the `install-config.yaml` file, please grant the below permissions to the service account in the host project for cluster destruction.
If you do not supply a service account for control plane nodes in the `install-config.yaml` file, please grant the below permissions to the service account in the host project. If you do not supply a service account for compute nodes in the `install-config.yaml` file, please grant the below permissions to the service account in the host project for cluster destruction. If you do supply service accounts for control plane and compute nodes, you do not need to grant the below permissions.
Copy link
Contributor

@mburke5678 mburke5678 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I ask you to fix this one? Per ISG: Do not use to indicate a relative location in a document, as in “the information below”

Suggested change
If you do not supply a service account for control plane nodes in the `install-config.yaml` file, please grant the below permissions to the service account in the host project. If you do not supply a service account for compute nodes in the `install-config.yaml` file, please grant the below permissions to the service account in the host project for cluster destruction. If you do supply service accounts for control plane and compute nodes, you do not need to grant the below permissions.
If you do not supply a service account for control plane nodes in the `install-config.yaml` file, please grant the following permissions to the service account in the host project. If you do not supply a service account for compute nodes in the `install-config.yaml` file, please grant the following permissions to the service account in the host project for cluster destruction. If you do supply service accounts for control plane and compute nodes, you do not need to grant the following permissions.

Copy link
Contributor Author

@bscott-rh bscott-rh Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, thanks

@openshift-ci
Copy link

openshift-ci bot commented Oct 17, 2025

@bscott-rh: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@mburke5678 mburke5678 merged commit 1ad209a into openshift:main Oct 17, 2025
2 checks passed
@bscott-rh
Copy link
Contributor Author

bscott-rh commented Oct 17, 2025

/cherrypick enterprise-4.20

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Oct 17, 2025

@bscott-rh: new pull request created: #100761

In response to this:

/cherrypick enterprise-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Oct 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mburke5678 mburke5678 mburke5678 left review comments

+2 more reviewers

@jianli-wei jianli-wei jianli-wei requested changes

@ocpdocs-vale-bot ocpdocs-vale-bot ocpdocs-vale-bot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

branch/enterprise-4.20 merge-review-in-progress Signifies that the merge review team is reviewing this PR merge-review-needed Signifies that the merge review team needs to review this PR size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

OCP 4.20 GA

Development

Successfully merging this pull request may close these issues.

6 participants

@bscott-rh @ocpdocs-previewbot @openshift-cherrypick-robot @mburke5678 @jianli-wei @ocpdocs-vale-bot