osdocs-667 GCP docs updates

modules/installation-configuration-parameters.adoc

@@ -327,10 +327,6 @@ link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-grou
 with an Azure cluster.
 ====
 endif::azure[]
-////
-ifdef::gcp[]
-.Additional Google Cloud Platform (GCP) parameters
-////
 
 ifeval::["{context}" == "installing-aws-customizations"]
 :!aws:

modules/installation-gcp-dns.adoc

@@ -42,5 +42,6 @@ uses. For example, if you registered your domain to Google Domains, see the
 following topic in the Google Domains Help:
 link:https://support.google.com/domains/answer/3290309?hl=en[How to switch to custom name servers].
 
-. If you use a subdomain, follow your company's procedures to add its delegation
-records to the parent domain.
+. If you migrated your root domain to Google Cloud DNS, migrate your DNS records. See link:https://cloud.google.com/dns/docs/migrating[Migrating to Cloud DNS] in the GCP documentation.
+
+. If you use a subdomain, follow your company's procedures to add its delegation records to the parent domain. This process might include a request to your company's IT department or the division that controls the root domain and DNS services for your company.

modules/installation-gcp-limits.adoc

@@ -27,15 +27,15 @@ the bootstrap process and are removed after the cluster deploys.
 
 ifeval::["{context}" == "installing-gcp-account"]
 |Service account |IAM	|Global	|5 |0
-|Firewall Rules	|Compute	|Global	|35 |1
-|Forwarding Rules	|Compute	|Global	|3	|0
+|Firewall Rules	|Compute	|Global	|11 |1
+|Forwarding Rules	|Compute	|Global	|2	|0
 |In-use global IP addresses	|Compute	|Global	|4	|1
 |Health checks	|Compute	|Global	|3	|0
 |Images	|Compute	|Global	|1	|0
-|Networks	|Compute	|Global	|1	|0
+|Networks	|Compute	|Global	|2	|0
 |Static IP addresses	|Compute	|Region	|4	|1
 |Routers	|Compute	|Global	|1	|0
-|Routes	|Compute	|Global	|3	|0
+|Routes	|Compute	|Global	|2	|0
 |Subnetworks	|Compute	|Global	|2	|0
 |Target Pools	|Compute	|Global	|3	|0
 |CPUs	|Compute	|Region	|28	|4
@@ -44,7 +44,7 @@ endif::[]
 
 ifeval::["{context}" == "installing-gcp-user-infra"]
 |Service account |IAM	|Global	|5 |0
-|Firewall Rules	|Networking	|Global	|35 |1
+|Firewall Rules	|Networking	|Global	|11 |1
 |Forwarding Rules	|Compute	|Global	|2	|0
 // |In-use IP addresses global	|Networking	|Global	|4	|1
 |Health checks	|Compute	|Global	|2	|0
@@ -52,10 +52,33 @@ ifeval::["{context}" == "installing-gcp-user-infra"]
 |Networks	|Networking	|Global	|1	|0
 // |Static IP addresses	|Compute	|Region	|4	|1
 |Routers	|Networking	|Global	|1	|0
-|Routes	|Networking	|Global	|3	|0
+|Routes	|Networking	|Global	|2	|0
 |Subnetworks	|Compute	|Global	|2	|0
 |Target Pools	|Networking	|Global	|2	|0
 // |CPUs	|Compute	|Region	|28	|4
 // |Persistent Disk SSD (GB)	|Compute	|Region	|896	|128
 endif::[]
 |===
+
+[NOTE]
+====
+If any of the quotas are insufficient during installation, the installation program displays an error that states both which quota was exceeded and the region.
+====
+
+Be sure to consider your actual cluster size, planned cluster growth, and any usage from other clusters that are associated with your account. The CPU, Static IP addresses, and Persistent Disk SSD (Storage) quotas are the ones that are most likely to be insufficient.
+
+If you plan to deploy your cluster in one of the following regions, you will exceed the maximum storage quota and are likely to exceed the CPU quota limit:
+
+* asia-east2
+* asia-northeast2
+* asia-south1
+* australia-southeast1
+* europe-north1
+* europe-west2
+* europe-west3
+* europe-west6
+* northamerica-northeast1
+* southamerica-east1
+* us-west2
+
+You can increase resource quotas from the link:https://console.cloud.google.com/iam-admin/quotas[GCP console], but you might need to file a support ticket. Be sure to plan your cluster size early so that you can allow time to resolve the support ticket before you install your {product-title} cluster.

modules/installation-gcp-service-account.adoc

@@ -6,7 +6,7 @@
 [id="installation-gcp-service-account_{context}"]
 = Creating a service account in GCP
 
-{product-title} requires a Google Cloud Platform (GCP) service account.
+{product-title} requires a Google Cloud Platform (GCP) service account that provides authentication and authorization to access data in the Google APIs. If you do not have an existing IAM service account that contains the required roles in your project, you must create one.
 
 .Prerequisites
 
@@ -14,7 +14,7 @@
 
 .Procedure
 
-. Create a new service account in the project that you use to host your
+. Create a service account in the project that you use to host your
 {product-title} cluster. See
 link:https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account[Creating a service account]
 in the GCP documentation.
@@ -22,8 +22,13 @@ in the GCP documentation.
 . Grant the service account the appropriate permissions. You can either
 grant the individual permissions that follow or assign the `Owner` role to it.
 See link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[Granting roles to a service account for specific resources].
++
+[NOTE]
+====
+While making the service account an Owner of the project is the easiest way to gain the required permissions, it means that that service account has complete control over the project. You must determine if the risk that comes from offering that power is acceptable.
+====
 
-. Create the service account key.
+. Create the service account key in JSON format.
 See link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Creating service account keys]
 in the GCP documentation.
 +

modules/installation-launching-installer.adoc

@@ -217,6 +217,13 @@ ifdef::aws[]
 account that you used to install the cluster.
 endif::aws[]
 
+ifdef::gcp[]
+. Optional: You can reduce the number of permissions for the service account that you used to install the cluster.
+** If you assigned the `Owner` role to your service account, you can remove that role and replace it with the `Viewer` role. 
+** If you included the `Service Account Key Admin` role,
+you can remove it.
+endif::gcp[]
+
 ifeval::["{context}" == "installing-aws-customizations"]
 :custom-config:
 :!aws: