OSDOCS-17996: reduce scope of mapi controller perms for gcp

2026-02-05 03:47:04 +01:00 · 2026-01-26 18:15:07 -05:00
parent 0cf1fa1956
commit 11cba0ba2d
6 changed files with 208 additions and 0 deletions
--- a/installing/installing_gcp/installing-gcp-customizations.adoc
+++ b/installing/installing_gcp/installing-gcp-customizations.adoc
@@ -112,6 +112,9 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]
 //Task part 2: Creating the required GCP resources
 include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

+//Restricting service account impersonation to the compute nodes service account
+include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]
+
 //Task part 3: Incorporating the Cloud Credential Operator utility manifests
 include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

--- a/installing/installing_gcp/installing-gcp-private.adoc
+++ b/installing/installing_gcp/installing-gcp-private.adoc
@@ -105,6 +105,9 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]
 //Task part 2: Creating the required GCP resources
 include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

+//Restricting service account impersonation to the compute nodes service account
+include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]
+
 //Task part 3: Incorporating the Cloud Credential Operator utility manifests
 include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

--- a/installing/installing_gcp/installing-gcp-shared-vpc.adoc
+++ b/installing/installing_gcp/installing-gcp-shared-vpc.adoc
@@ -89,6 +89,9 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]
 //Task part 2: Creating the required GCP resources
 include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

+//Restricting service account impersonation to the compute nodes service account
+include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]
+
 //Task part 3: Incorporating the Cloud Credential Operator utility manifests
 include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

--- a/installing/installing_gcp/installing-gcp-vpc.adoc
+++ b/installing/installing_gcp/installing-gcp-vpc.adoc
@@ -102,6 +102,9 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]
 //Task part 2: Creating the required GCP resources
 include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

+//Restricting service account impersonation to the compute nodes service account
+include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]
+
 //Task part 3: Incorporating the Cloud Credential Operator utility manifests
 include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

--- a/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
+++ b/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
@@ -110,6 +110,9 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]
 //Task part 2: Creating the required GCP resources
 include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

+//Restricting service account impersonation to the compute nodes service account
+include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]
+
 //Task part 3: Incorporating the Cloud Credential Operator utility manifests
 include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

--- a/modules/restricting-sa-impersonation-compute-sa-gcp.adoc
+++ b/modules/restricting-sa-impersonation-compute-sa-gcp.adoc
@@ -0,0 +1,193 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-customizations.adoc
+// * installing/installing_gcp/installing-gcp-network-customizations.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
+// * installing/installing_gcp/installing-gcp-vpc.adoc
+// * installing/installing_gcp/installing-gcp-shared-vpc.adoc
+// * installing/installing_gcp/installing-gcp-private.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="restricting-sa-impersonation-compute-sa-gcp_{context}"]
+= Restricting service account impersonation to the compute nodes service account
+
+[role="_abstract"]
+After the Cloud Credential Operator utility (`ccoctl`) creates the resources for the cluster, you can restrict the {gcp-first} `iam.serviceAccounts.actAs` permission that the `ccoctl` utility granted to the Machine API controller service account to the compute nodes service account.
+
+[NOTE]
+====
+Restricting service account impersonation to the compute nodes service account is optional.
+If your organization does not require this change, you can continue to "Incorporating the Cloud Credential Operator utility manifests".
+====
+
+When the `ccoctl` utility assigns custom and {gcp-short} predefined roles to {product-title} components service accounts, it grants the `iam.serviceAccounts.actAs` permission to the Machine API controller service account at the {gcp-first} project level.
+To reduce the scope of the `iam.serviceAccounts.actAs` permission, you identify the custom role of the Machine API controller service account and replace it with a role that has a more restricted set of permissions.
+To allow this component to work, you then grant the Machine API controller service account the Service Account User role on the service account of the compute nodes instead.
+
+.Prerequisites
+
+* You have configured an account with the cloud platform that hosts your cluster.
+* You have used the `ccoctl` utility to create the cloud provider resources for your cluster.
+* You have access to your `install-config.yaml` file.
+* You have logged in to the {gcp-full} CLI (`gcloud`) as a user with permissions to manage service accounts and roles.
+
+.Procedure
+
+. Obtain the following values from your `install-config.yaml` file:
+
+** The {gcp-short} project name.
+In the YAML file, this is the value of the `platform.gcp.projectID` parameter.
+
+** The cluster name.
+In the YAML file, this is the value of the `metadata.name` parameter.
+
+** The service account for the compute nodes.
+In the YAML file, this is the value of the `compute[0].platform.gcp.serviceAccount` parameter.
+
+. Obtain the service account for the Machine API controller that the `ccoctl` utility created by running the following command:
+
+[source,terminal]
+----
+$ gcloud iam service-accounts list \
+  --filter="displayName=<cluster_name>-openshift-machine-api-gcp" \
+  --format='value(email)'
+----
+
+where `<cluster_name>` is the value specified for the `metadata.name` parameter in your `install-config.yaml` file.
+
+. Obtain the role ID of the custom role for the Machine API controller service account by running the following command:
+
+[source,terminal]
+----
+$ gcloud projects get-iam-policy <project_name> \
+  --flatten='bindings[].members' \
+  --format='table(bindings.role)' \
+  --filter="bindings.members:<machine_api_controller_service_account>"
+----
+
+where `<machine_api_controller_service_account>` is the Machine API controller service account.
+
+. List the custom role permissions for the Machine API controller service account by running the following command:
+
+[source,terminal]
+----
+$ gcloud iam roles describe <machine_api_role> \
+  --project <project_name>
+----
+
+where `<machine_api_role>` is the role ID of the custom role for the Machine API controller service account.
+
+.Example output
+[source,text]
+----
+etag: <etag_value>
+includedPermissions:
+- compute.acceleratorTypes.get
+- compute.acceleratorTypes.list
+- compute.disks.create
+- compute.disks.createTagBinding
+...
+- compute.zones.get
+- compute.zones.list
+- iam.serviceAccounts.actAs
+- iam.serviceAccounts.get
+- iam.serviceAccounts.list
+- resourcemanager.tagValues.get
+- resourcemanager.tagValues.list
+- serviceusage.quotas.get
+- serviceusage.services.get
+- serviceusage.services.list
+name: projects/<project_name>/roles/<machine_api_role>
+stage: GA
+title: <project_name>-openshift-machine-api-gcp
+----
+
+where `<project_name>` is the {gcp-short} project name specified in the `install-config.yaml` file.
+
+[NOTE]
+====
+This truncated example output might not match the permissions list for your cluster.
+====
+
+. Create a custom role that includes all of the permissions from your output except for the `iam.serviceAccounts.actAs` permission by running a command similar to the following:
+
+[source,terminal]
+----
+$ gcloud iam roles create <machine_api_role>_without_actas \
+--project=<project_name> \
+--title=<machine_api_role>_without_actas \
+--description="Required permissions for the Machine API controller without the iam.serviceAccounts.actAs permission" \
+--permissions=compute.acceleratorTypes.get,\
+compute.acceleratorTypes.list,\
+compute.disks.create,\
+compute.disks.createTagBinding,\
+...
+compute.zones.get,\
+compute.zones.list,\
+iam.serviceAccounts.get,\
+iam.serviceAccounts.list,\
+resourcemanager.tagValues.get,\
+resourcemanager.tagValues.list,\
+serviceusage.quotas.get,\
+serviceusage.services.get,\
+serviceusage.services.list
+----
+
+In this example, the new role name is the original custom role name, `<machine_api_role>`, with a `_without_actas` string added to the end.
+
+[IMPORTANT]
+====
+This truncated example command might not match the permissions list for your cluster.
+You must use the list of permissions from the output of the `gcloud iam roles describe <machine_api_role> --project <project_name>` command on your cluster.
+====
+
+. Remove the custom role that includes the `iam.serviceAccounts.actAs` permission from the Machine API controller service account by running the following command:
+
+[source,terminal]
+----
+$ gcloud projects remove-iam-policy-binding <project_name> \
+  --member "serviceAccount:<machine_api_controller_service_account>" \
+  --role "projects/<project_name>/roles/<machine_api_role>"
+----
+
+where `<machine_api_role>` is the original custom role.
+
+. Grant the custom role that excludes the `iam.serviceAccounts.actAs` permission to the Machine API controller service account by running the following command:
+
+[source,terminal]
+----
+$ gcloud projects add-iam-policy-binding <project_name> \
+  --member "serviceAccount:<machine_api_controller_service_account>" \
+  --role "projects/<project_name>/roles/<machine_api_role>_without_actas
+----
+
+where `<machine_api_role>_without_actas` is the new custom role.
+
+. Optional: To verify that the Machine API controller service account has the correct role, check the attached role ID by running the following command:
+
+[source,terminal]
+----
+$ gcloud projects get-iam-policy <project_name> \
+  --flatten='bindings[].members' \
+  --format='table(bindings.role)' \
+  --filter="bindings.members:<machine_api_controller_service_account>"
+----
+
+.Example output
+[source,text]
+----
+ROLE
+projects/<project_name>/roles/<machine_api_role>_without_actas
+----
+
+. Grant the Machine API controller service account the Service Account User role on the service account of the compute nodes by running the following command:
+
+[source,terminal]
+----
+$ gcloud iam service-accounts add-iam-policy-binding <compute_nodes_service_account> \
+  --member="serviceAccount:<machine_api_controller_service_account>" \
+  --role=roles/iam.serviceAccountUser
+----
+
+where `<compute_nodes_service_account>` is the service account for your compute nodes.
+This value is the `compute[0].platform.gcp.serviceAccount` parameter in your `install-config.yaml` file.