Bug 1311878
Summary: | Ansible installer for GCE needs to allow API access to all Google Cloud services | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Liang Xia <lxia> |
Component: | Installer | Assignee: | Scott Dodson <sdodson> |
Status: | CLOSED WONTFIX | QA Contact: | Liang Xia <lxia> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | akostadi, aos-bugs, bleanhar, eparis, jhou, jokerman, lshulman, lxia, mmccomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-03-29 19:37:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Liang Xia
2016-02-25 09:20:35 UTC
Hi Xia Liang, Can you tell us what playbook you are running and how you a provisioning the openshift environment? Alex fixed this in our SCALE-CI. yeah, basically, when starting instance from console with the option "Allow API access to all Google Cloud services in the same project", the instance is actually launched with an additional option (YAML representation): service_accounts: - :email: "weird_numeric_service_account_id.com" :scopes: - https://www.googleapis.com/auth/cloud-platform I think in REST API it is called serviceAccount, the above is from ruby client library. When running without the option, the permissions are more limited: # - https://www.googleapis.com/auth/cloud.useraccounts.readonly # - https://www.googleapis.com/auth/devstorage.read_only # - https://www.googleapis.com/auth/logging.write # - https://www.googleapis.com/auth/monitoring.write # - https://www.googleapis.com/auth/servicecontrol # - https://www.googleapis.com/auth/service.management In AOS ansible I think we can select exactly the permissions we need. i.e. `https://www.googleapis.com/auth/cloud-platform` looks too broad to me. I'd vote to only select the scopes OpenShift actually needs. Thank to Liang Xia for obtaining the correct scopes. bin/cluster and any GCE specific playbooks are only community supported and not part of OSE. At a min this bug should move to the origin product. I am not sure from the above whether the current state is blocking anything or trying to improve the security setup of the install? I couldn't understand the exact use case above. I only changed our scripts to launch instances on GCE. But if this use case involves creating instances from a playbook, then that playbook needs to specify the required option (because my change will not have any effect): service_accounts: - :email: default :scopes: - https://www.googleapis.com/auth/cloud-platform I‘m OK with the current solution. We need the option enabled when launching GCE instance to support some storage testing. The reason we want the 'allow API access' option from installer is that, openshift/kubernetes needs the api access to provision GCE PDs. But ansible launched instances do not have the access. We think people deploying openshift on GCE would more prefer to use GCE PDs instead of other storages as their persistent volume. Yes, that configuration cannot be added after instances are launched. So whatever is launching instances, it needs to set the above option. QE launcher already sets that. I'd like to stres again though that ideallyt we should use a service account with proper permissions for the tasks OpenShift needs to perform. Not a good idea to grant full access if it only needs to create volumes. (In reply to Aleksandar Kostadinov from comment #9) > Yes, that configuration cannot be added after instances are launched. So > whatever is launching instances, it needs to set the above option. QE > launcher already sets that. > > I'd like to stres again though that ideallyt we should use a service account > with proper permissions for the tasks OpenShift needs to perform. Not a good > idea to grant full access if it only needs to create volumes. Hi, was this addressed. I'm running into this issue right now with the GCE openshift-ansible installer. I can spin up an Openshift cluster just find, but all instances do not have Gcloud API access to connect to GCE persistent disks, and Gcloud doesn't allow changing those instance permissions once it is created. |