Hide Forgot
Document URL: https://docs.openshift.com/container-platform/3.3/install_config/configuring_gce.html https://docs.openshift.com/container-platform/3.3/install_config/persistent_storage/persistent_storage_gce.html https://docs.openshift.com/container-platform/3.3/install_config/registry/extended_registry_configuration.html#docker-registry-configuration-reference-reporting Section Number and Name: Describe the issue: The documentation explains the configurations to be done to activate various integrations with the underlying cloud provider, such as: 1. load balancing 2. dynamically provisioned storage 3. object storage for the registry The documentation explains to a certain extent what to do to authenticate with the underlying cloud provider APIs. for google cloud this is nothing because all the instances are automatically authenticated with service accounts. The documentation does not explain what permission those service accounts should have in order for the various operations to succeed. based on my experience (https://github.com/raffaelespazzoli/openshift-enablement-exam) the following is needed (in google cloud permission are give in the form of oath scopes): "https://www.googleapis.com/auth/compute" : to work with forwarding rules and attached storage "https://www.googleapis.com/auth/devstorage.read_write" : to work with object storage. I haven;t finished my experiments, there may be others that are needed. I'm working on google cloud, but the same concept may apply to other cloud providers. Suggestions for improvement: add the information to correctly configure permissions. suggest to use the minimal permission that allow to complete the job. for example "https://www.googleapis.com/auth/compute" is a sort of root access, there may be a better, more fine tuned scope. Additional information:
Docs PR: https://github.com/openshift/openshift-docs/pull/3018
Scott, Can you please offer guidance on what is needed here, or point me in the right direction? Thanks!
@screeley Looks like you helped with this content in the past. Can you offer any guidance? Thanks!
Ashley, I'll take a look first thing on Monday and add any info to this BZ, thanks Scott
Thanks so much, Scott!
Ashley, If I look at our RH devel project on GCE, it looks like there are 4 api's enabled by default. stackdriver logging api google compute engine api google cloud storage api google cloud storage json api I think Dan McPherson would be the best person to ask as I think he manages the openshift-gce-devel project and would probably have more insight on what he enables for that project to work. Also, when I manually create a new instance I always select "Allow full access to all cloud apis"
Thanks, Scott! @Dan- Can you please confirm what should be enabled?
After consulting with the development team, it looks like work on this needs to be deferred till the devs have had time to work on it. I am closing this bug marked as deferred.