Bug 1879627 - GCP install docs missing permission
Summary: GCP install docs missing permission
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Lindsey Barbee-Vargas
QA Contact: To Hung Sze
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-16 16:37 UTC by Michael Gugino
Modified: 2021-05-18 14:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 14:49:13 UTC
Target Upstream Version:


Attachments (Terms of Use)

Comment 1 Lindsey Barbee-Vargas 2021-04-27 19:16:45 UTC
Hi Michael,

Can you please confirm which account the permission is missing for, either the Control Plane or Compute account in "Table 3. GCP service account permissions" in https://docs.openshift.com/container-platform/4.5/installing/installing_gcp/installing-gcp-account.html#installation-gcp-permissions_installing-gcp-account? 

Also, does the `roles/compute.instanceAdmin` role need to be updated to `roles/compute.instanceAdmin.v1` based on the yaml you linked to?

Comment 2 Michael Gugino 2021-04-27 20:19:25 UTC
Looks like it belongs in the "Control Plane" table.

For the .v1 part, yes, let's copy what's in the yaml.

Comment 3 Lindsey Barbee-Vargas 2021-04-30 18:04:47 UTC
Updates to "Table 3. GCP service account permissions
" were made in https://github.com/openshift/openshift-docs/pull/32090.

Comment 4 Matthew Staebler 2021-05-13 17:32:43 UTC
The table in question looks to be the roles assigned by the installer to the master and worker node service accounts. The role assigned by the CCO is response to the CredentialsRequest linked is not relevant to the roles assigned by the installer.

Comment 5 To Hung Sze 2021-05-13 18:13:03 UTC
@mgugino@redhat.com 

Installation with roles/compute.instanceAdmin (ie without .v1) still completes with latest 4.8 nightly.

Does the change to add ".v1" affect actions after installation?
Is it a compulsory to use .v1?

Just curious.

Thanks.

Comment 6 Matthew Staebler 2021-05-13 18:56:11 UTC
(In reply to To Hung Sze from comment #5)
> @mgugino@redhat.com 
> 
> Installation with roles/compute.instanceAdmin (ie without .v1) still
> completes with latest 4.8 nightly.
> 
> Does the change to add ".v1" affect actions after installation?
> Is it a compulsory to use .v1?
> 
> Just curious.
> 
> Thanks.

The installer still uses roles/compute.instanceAdmin (with no .v1).
See https://github.com/openshift/installer/blob/7ba3f375977b7e2a0adc856db3f258f2c53b8aef/data/data/gcp/master/main.tf#L12.

Comment 7 To Hung Sze 2021-05-13 19:24:23 UTC
I should clarify, if I am not mistaken, the proposed change for user-doc includes a code change
https://deploy-preview-32090--osdocs.netlify.app/openshift-enterprise/latest/installing/installing_gcp/installing-gcp-user-infra-vpc.html#installation-creating-gcp-iam-shared-vpc_installing-gcp-user-infra-vpc

7 The templates do not create the policy bindings due to limitations of Deployment Manager, so you must create them manually:
$ gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member "serviceAccount:${MASTER_SERVICE_ACCOUNT}" --role "roles/compute.instanceAdmin.v1"

Is ".v1" needed?

Thanks.

Comment 8 Matthew Staebler 2021-05-13 20:05:40 UTC
(In reply to To Hung Sze from comment #7)
> I should clarify, if I am not mistaken, the proposed change for user-doc
> includes a code change
> https://deploy-preview-32090--osdocs.netlify.app/openshift-enterprise/latest/
> installing/installing_gcp/installing-gcp-user-infra-vpc.html#installation-
> creating-gcp-iam-shared-vpc_installing-gcp-user-infra-vpc
> 
> 7 The templates do not create the policy bindings due to limitations of
> Deployment Manager, so you must create them manually:
> $ gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member
> "serviceAccount:${MASTER_SERVICE_ACCOUNT}" --role
> "roles/compute.instanceAdmin.v1"
> 
> Is ".v1" needed?
> 
> Thanks.

No. The IPI install does not use ".v1". The UPI install does not need to use ".v1" either.

Comment 9 Michael Gugino 2021-05-17 14:07:57 UTC
It appears I misinterpreted what this table was for.  It appears it might just be for the permissions required by the installer.  If the installer team is happy with the permissions, we can probably close this as not a bug.

Comment 10 To Hung Sze 2021-05-17 20:19:03 UTC
New BZ related to this topic
https://bugzilla.redhat.com/show_bug.cgi?id=1961399

Comment 11 Lindsey Barbee-Vargas 2021-05-18 14:49:13 UTC
Closing as NOTABUG. The related PR[1] will also be closed without merging.

[1] https://github.com/openshift/openshift-docs/pull/32090


Note You need to log in before you can comment on or make changes to this bug.