From c5efe47423b27dcd941a5e9aa52d8cab60483cc2 Mon Sep 17 00:00:00 2001 From: Lisa Pettyjohn Date: Fri, 9 Jan 2026 11:27:42 -0500 Subject: [PATCH] OSDOCS-16018#Reducing permissions --- .../installing-gcp-account.adoc | 4 ++ modules/installation-gcp-service-account.adoc | 6 +++ ...storage-csi-gcp-pd-reduce-permissions.adoc | 47 +++++++++++++++++++ .../persistent-storage-csi-gcp-pd.adoc | 2 + 4 files changed, 59 insertions(+) create mode 100644 modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc diff --git a/installing/installing_gcp/installing-gcp-account.adoc b/installing/installing_gcp/installing-gcp-account.adoc index 9763702765..9ba9863688 100644 --- a/installing/installing_gcp/installing-gcp-account.adoc +++ b/installing/installing_gcp/installing-gcp-account.adoc @@ -19,6 +19,10 @@ include::modules/installation-gcp-limits.adoc[leveloffset=+1] include::modules/installation-gcp-service-account.adoc[leveloffset=+1] +[role="_additional-resources"] +.Additional resources +* xref:../../storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc#persistent-storage-csi-gcp-pd-reduce-permissions_persistent-storage-csi-gcp-pd[Reducing permissions while using the {gcp-short} CSI Driver Operator] + include::modules/installation-gcp-permissions.adoc[leveloffset=+2] include::modules/minimum-required-permissions-ipi-gcp.adoc[leveloffset=+2] diff --git a/modules/installation-gcp-service-account.adoc b/modules/installation-gcp-service-account.adoc index 80a2cd2b0a..9d41ca221c 100644 --- a/modules/installation-gcp-service-account.adoc +++ b/modules/installation-gcp-service-account.adoc @@ -8,8 +8,14 @@ [id="installation-gcp-service-account_{context}"] = Creating a service account in {gcp-short} +[role="_abstract"] {product-title} requires a {gcp-first} service account that provides authentication and authorization to access data in the Google APIs. If you do not have an existing IAM service account that contains the required roles in your project, you must create one. +[NOTE] +==== +To reduce the scope of permissions granted to the main service account in your Google Cloud project while still being able to use the {gcp-short} Container Storage Interface (CSI) Driver Operator, you can transfer the control of permissions from the project-wide service account to the control plane and compute node service accounts instead, thus reducing the scope of the permission. For more information, see Section _Reducing permissions while using the {gcp-short} CSI Driver Operator_. +==== + .Prerequisites * You created a project to host your cluster. diff --git a/modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc b/modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc new file mode 100644 index 0000000000..5957155fea --- /dev/null +++ b/modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc @@ -0,0 +1,47 @@ +// Module included in the following assemblies: +// +// * storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc + +:_mod-docs-content-type: PROCEDURE +[id="persistent-storage-csi-gcp-pd-reduce-permissions_{context}"] += Reducing permissions while using the GCP PD CSI Driver Operator + +[role="_abstract"] +The default installation allows the Google Cloud Platform (GCP) persistent disk (PD) Container Storage Interface (CSI) Driver to impersonate any service account in the Google Cloud project. You can reduce the scope of permissions granted to the GCP PD CSI Driver service account in your Google Cloud project to only the required node service accounts. + +To reduce permissions, grant the `iam.serviceAccountUser` role to the control plane and compute node service accounts, and then remove the `iam.serviceAccountUser` role from the project-wide service account, thus reducing the scope of the permission. + +[NOTE] +==== +Reducing permissions only applies to GCP clusters using Workload Identity Federation (WIF). +==== + +.Procedure + +. Grant scoped `iam.serviceAccountUser` role for node service accounts by running the following Bash commands: ++ +[source,terminal] +---- +gcloud iam service-accounts add-iam-policy-binding "${MASTER_NODE_SA}" --project="${GOOGLE_PROJECT_ID}" --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" --role="roles/iam.serviceAccountUser" --condition=None +gcloud iam service-accounts add-iam-policy-binding "${WORKER_NODE_SA}" --project="${GOOGLE_PROJECT_ID}" --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" --role="roles/iam.serviceAccountUser" --condition=None +---- ++ +* `GOOGLE_PROJECT_ID`: The unique ID of your Google Cloud project. + +* `SERVICE_ACCOUNT_EMAIL`: The email address of the "Member" (the person or service account) who is being granted the new permissions. To find the service account, on WIF clusters, there is a default service account on GCP for the CSI driver based on the cluster name, for example: `${CLUSTER_NAME}-openshift-gcp-pd-csi-*`. + +* `MASTER_NODE_SA`: The email address of the service account used by your cluster's master node. + +* `WORKER_NODE_SA`: The email address of the service account used by your cluster's worker nodes. + +. Remove project-level `iam.serviceAccountUser` role from the binding created by the installation program by running the following Bash commands: ++ +[source,terminal] +---- +gcloud projects remove-iam-policy-binding "${GOOGLE_PROJECT_ID}" --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" --role="roles/iam.serviceAccountUser" --condition=None +---- ++ + +* `SERVICE_ACCOUNT_EMAIL`: The email address of the account losing the permission. For example, `my-app-sa@my-project.iam.gserviceaccount.com`. To find the service account, on WIF clusters, there is a default service account on GCP for the CSI driver based on the cluster name, for example: `${CLUSTER_NAME}-openshift-gcp-pd-csi-*`. + +* `GOOGLE_PROJECT_ID`: The unique ID of the Google Cloud project where this is occurring. For example, `prod-data-789`. \ No newline at end of file diff --git a/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc b/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc index a0901849b8..c73bc3e21a 100644 --- a/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc +++ b/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc @@ -33,6 +33,8 @@ endif::openshift-dedicated[] include::modules/persistent-storage-csi-about.adoc[leveloffset=+1] +include::modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc[leveloffset=+1] + include::modules/persistent-storage-csi-gcp-pd-storage-class-ref.adoc[leveloffset=+1] [id="c3-instance-type-for-bare-metal-and-n4-machine-series"]