data/data/install.openshift.io_installconfigs.yaml:

barbacbd · barbacbd · commit 5092d4e43de9 · 2025-11-21T06:44:54.000-05:00
pkg/types/gcp/platform.go:

Add FirewallManagementPolicy. The policy will indicate whether the cluster or user
will manage the firewall rules.

Add validation to ensure that a network is provided when the install config
is set to Unmanaged to FirewallManagement.

pkg/types/gcp/metadata.go:

Add the management policy to the metadata so that the bootstrap destroy process
knows whether to delete the bootstrap firewall rules or not.
diff --git a/data/data/install.openshift.io_installconfigs.yaml b/data/data/install.openshift.io_installconfigs.yaml
@@ -6099,6 +6099,16 @@ spec:
                     required:
                     - name
                     type: object
+                  firewallRulesManagement:
+                    default: Managed
+                    description: |-
+                      FirewallRulesManagement specifies the management policy for the cluster. Managed indicates that
+                      the firewall rules will be created and destroyed by the cluster. Unmanaged indicates that the
+                      user should create and destroy the firewall rules.
+                    enum:
+                    - Managed
+                    - Unmanaged
+                    type: string
                   network:
                     description: |-
                       Network specifies an existing VPC where the cluster should be created
diff --git a/pkg/asset/cluster/gcp/gcp.go b/pkg/asset/cluster/gcp/gcp.go
@@ -23,11 +23,12 @@ func Metadata(config *types.InstallConfig) *gcp.Metadata {
 	}
 
 	return &gcp.Metadata{
-		Region:               config.Platform.GCP.Region,
-		ProjectID:            config.Platform.GCP.ProjectID,
-		NetworkProjectID:     config.Platform.GCP.NetworkProjectID,
-		PrivateZoneDomain:    privateZoneDomain,
-		PrivateZoneProjectID: privateZoneProject,
-		Endpoint:             config.Platform.GCP.Endpoint,
+		Region:                  config.Platform.GCP.Region,
+		ProjectID:               config.Platform.GCP.ProjectID,
+		NetworkProjectID:        config.Platform.GCP.NetworkProjectID,
+		PrivateZoneDomain:       privateZoneDomain,
+		PrivateZoneProjectID:    privateZoneProject,
+		Endpoint:                config.Platform.GCP.Endpoint,
+		FirewallRulesManagement: config.GCP.FirewallRulesManagement,
 	}
 }
diff --git a/pkg/asset/installconfig/gcp/permissions.go b/pkg/asset/installconfig/gcp/permissions.go
diff --git a/pkg/asset/installconfig/gcp/validation.go b/pkg/asset/installconfig/gcp/validation.go
@@ -71,7 +71,6 @@ func Validate(client API, ic *types.InstallConfig) error {
 	allErrs = append(allErrs, validateMarketplaceImages(client, ic)...)
 	allErrs = append(allErrs, validatePlatformKMSKeys(client, ic, field.NewPath("platform").Child("gcp"))...)
 	allErrs = append(allErrs, validateServiceEndpointOverride(client, ic, field.NewPath("platform").Child("gcp"))...)
-	allErrs = append(allErrs, validateFirewallPermissions(client, ic, field.NewPath("platform").Child("gcp"))...)
 
 	if err := validateUserTags(client, ic.Platform.GCP.ProjectID, ic.Platform.GCP.UserTags); err != nil {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("platform").Child("gcp").Child("userTags"), ic.Platform.GCP.UserTags, err.Error()))
@@ -877,25 +876,3 @@ func validateServiceEndpointOverride(client API, ic *types.InstallConfig, fieldP
 
 	return allErrs
 }
-
-// validateFirewallPermissions validates that the user has firewall permissions OR when the user does not have
-// permissions to create firewall rules then a network is specified.
-func validateFirewallPermissions(client API, ic *types.InstallConfig, fieldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	projectID := ic.GCP.ProjectID
-	configField := "projectID"
-	if ic.GCP.NetworkProjectID != "" {
-		projectID = ic.GCP.NetworkProjectID
-		configField = "networkProjectID"
-	}
-
-	hasPermissions, err := client.ValidateServiceAccountHasPermissions(context.TODO(), projectID, []string{CreateGCPFirewallPermission})
-	if err != nil {
-		return append(allErrs, field.Invalid(fieldPath.Child(configField), projectID, err.Error()))
-	}
-	if !hasPermissions && ic.GCP.Network == "" {
-		allErrs = append(allErrs, field.Required(fieldPath.Child("network"), "firewall rule creation permission is missing, an existing network is required"))
-	}
-	return allErrs
-}
diff --git a/pkg/asset/installconfig/gcp/validation_test.go b/pkg/asset/installconfig/gcp/validation_test.go
@@ -51,7 +51,6 @@ var (
 	invalidXpnSA              = "invalid-example-sa@gcloud.serviceaccount.com"
 	validServiceEndpointURL   = "https://computeexample.googleapis.com/compute/v1/"
 	invalidServiceEndpointURL = "http://badstorage.googleapis"
-	permissionsProject        = "permissions-project"
 
 	// #nosec G101
 	fakeCreds = `{
@@ -118,8 +117,6 @@ var (
 	invalidateXpnSA          = func(ic *types.InstallConfig) { ic.ControlPlane.Platform.GCP.ServiceAccount = invalidXpnSA }
 	invalidateBaseDomain     = func(ic *types.InstallConfig) { ic.BaseDomain = invalidBaseDomain }
 	enableCustomDNS          = func(ic *types.InstallConfig) { ic.GCP.UserProvisionedDNS = customDNS.UserProvisionedDNSEnabled }
-	resetNetwork             = func(ic *types.InstallConfig) { ic.GCP.Network = "" }
-	validPermissionProject   = func(ic *types.InstallConfig) { ic.GCP.ProjectID = permissionsProject }
 
 	invalidKeyRing = gcp.KMSKeyReference{
 		Name:      "invalidKeyName",
@@ -462,12 +459,6 @@ func TestGCPInstallConfigValidation(t *testing.T) {
 			records:       []*dns.ResourceRecordSet{},
 			expectedError: false,
 		},
-		{
-			name:          "Invalid missing permissions and network",
-			edits:         editFunctions{resetNetwork, validPermissionProject},
-			records:       []*dns.ResourceRecordSet{},
-			expectedError: true, // platform.gcp.network: Required value: firewall rule creation permission is missing, an existing network is required
-		},
 	}
 	mockCtrl := gomock.NewController(t)
 	defer mockCtrl.Finish()
@@ -477,9 +468,8 @@ func TestGCPInstallConfigValidation(t *testing.T) {
 	errNotFound := &googleapi.Error{Code: http.StatusNotFound}
 
 	// Should get the list of projects.
-	gcpClient.EXPECT().GetProjects(gomock.Any()).Return(map[string]string{"valid-project": "valid-project", permissionsProject: permissionsProject}, nil).AnyTimes()
+	gcpClient.EXPECT().GetProjects(gomock.Any()).Return(map[string]string{"valid-project": "valid-project"}, nil).AnyTimes()
 	gcpClient.EXPECT().GetProjectByID(gomock.Any(), "valid-project").Return(&cloudresourcemanager.Project{}, nil).AnyTimes()
-	gcpClient.EXPECT().GetProjectByID(gomock.Any(), permissionsProject).Return(&cloudresourcemanager.Project{}, nil).AnyTimes()
 	gcpClient.EXPECT().GetProjectByID(gomock.Any(), "invalid-project").Return(nil, errNotFound).AnyTimes()
 	gcpClient.EXPECT().GetProjectByID(gomock.Any(), gomock.Any()).Return(nil, fmt.Errorf("error")).AnyTimes()
 
@@ -490,7 +480,6 @@ func TestGCPInstallConfigValidation(t *testing.T) {
 	gcpClient.EXPECT().GetRegions(gomock.Any(), invalidProjectName).Return(nil, fmt.Errorf("failed to get regions for project")).AnyTimes()
 	// When passed a project that is valid but the region is not contained, an error should still occur
 	gcpClient.EXPECT().GetRegions(gomock.Any(), validProjectName).Return([]string{validRegion}, nil).AnyTimes()
-	gcpClient.EXPECT().GetRegions(gomock.Any(), permissionsProject).Return([]string{validRegion}, nil).AnyTimes()
 
 	// Should return the machine type as specified.
 	for key, value := range machineTypeAPIResult {
@@ -509,7 +498,6 @@ func TestGCPInstallConfigValidation(t *testing.T) {
 	// When passed a correct network, project, & region, returns valid subnets.
 	// We will test incorrect subnets, by changing the install config.
 	gcpClient.EXPECT().GetSubnetworks(gomock.Any(), validNetworkName, validProjectName, validRegion).Return(subnetAPIResult, nil).AnyTimes()
-	gcpClient.EXPECT().GetSubnetworks(gomock.Any(), validNetworkName, permissionsProject, validRegion).Return(subnetAPIResult, nil).AnyTimes()
 
 	// When passed an incorrect network, project or region, return empty list.
 	gcpClient.EXPECT().GetSubnetworks(gomock.Any(), gomock.Not(validNetworkName), gomock.Any(), gomock.Any()).Return([]*compute.Subnetwork{}, nil).AnyTimes()
@@ -544,14 +532,9 @@ func TestGCPInstallConfigValidation(t *testing.T) {
 	gcpClient.EXPECT().GetKeyRing(gomock.Any(), &invalidKeyRing).Return(nil, fmt.Errorf("failed to find key ring invalidKeyRingName: data")).AnyTimes()
 
 	gcpClient.EXPECT().GetDNSZone(gomock.Any(), validProjectName, validBaseDomain, true).Return(&dns.ManagedZone{Name: validZone}, nil).AnyTimes()
-	gcpClient.EXPECT().GetDNSZone(gomock.Any(), permissionsProject, validBaseDomain, true).Return(&dns.ManagedZone{Name: validZone}, nil).AnyTimes()
 	gcpClient.EXPECT().GetDNSZone(gomock.Any(), invalidProjectName, validBaseDomain, true).Return(&dns.ManagedZone{Name: validZone}, nil).AnyTimes()
 	gcpClient.EXPECT().GetDNSZone(gomock.Any(), validProjectName, invalidBaseDomain, true).Return(nil, fmt.Errorf("baseDomain: Not found: \"%s\"", invalidBaseDomain)).AnyTimes()
 
-	gcpClient.EXPECT().ValidateServiceAccountHasPermissions(gomock.Any(), permissionsProject, []string{CreateGCPFirewallPermission}).Return(false, nil).AnyTimes()
-	gcpClient.EXPECT().ValidateServiceAccountHasPermissions(gomock.Any(), validProjectName, []string{CreateGCPFirewallPermission}).Return(true, nil).AnyTimes()
-	gcpClient.EXPECT().ValidateServiceAccountHasPermissions(gomock.Any(), invalidProjectName, []string{CreateGCPFirewallPermission}).Return(false, fmt.Errorf("failed to get project permissions")).AnyTimes()
-
 	httpmock.Activate()
 	defer httpmock.DeactivateAndReset()
 
diff --git a/pkg/asset/manifests/cloudproviderconfig.go b/pkg/asset/manifests/cloudproviderconfig.go
@@ -15,7 +15,6 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	awsic "github.com/openshift/installer/pkg/asset/installconfig/aws"
-	gcpic "github.com/openshift/installer/pkg/asset/installconfig/gcp"
 	powervsconfig "github.com/openshift/installer/pkg/asset/installconfig/powervs"
 	ibmcloudmachines "github.com/openshift/installer/pkg/asset/machines/ibmcloud"
 	"github.com/openshift/installer/pkg/asset/manifests/azure"
@@ -180,17 +179,8 @@ func (cpc *CloudProviderConfig) Generate(ctx context.Context, dependencies asset
 			subnet = installConfig.Config.GCP.ComputeSubnet
 		}
 
-		projectID := installConfig.Config.Platform.GCP.ProjectID
-		if networkProjectID := installConfig.Config.Platform.GCP.NetworkProjectID; networkProjectID != "" {
-			projectID = networkProjectID
-		}
-
-		hasFirewallRules, err := gcpic.HasPermissions(ctx, projectID, []string{gcpic.CreateGCPFirewallPermission}, installConfig.Config.GCP.Endpoint)
-		if err != nil {
-			return fmt.Errorf("failed to determine user firewall permissions: %w", err)
-		}
 		firewallManagement := gcpmanifests.FirewallManagementEnabled
-		if !hasFirewallRules {
+		if installConfig.Config.GCP.FirewallRulesManagement == gcptypes.UnmanagedFirewallRules {
 			firewallManagement = gcpmanifests.FirewallManagementDisabled
 		}
 
diff --git a/pkg/asset/manifests/gcp/cluster.go b/pkg/asset/manifests/gcp/cluster.go
@@ -133,17 +133,9 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 		capgLoadBalancerType = capg.Internal
 	}
 
-	firewallRulesManagementPolicy := capg.RulesManagementUnmanaged
-	projectID := installConfig.Config.GCP.ProjectID
-	if installConfig.Config.GCP.NetworkProjectID != "" {
-		projectID = installConfig.Config.GCP.NetworkProjectID
-	}
-	createFwRules, err := gcpic.HasPermissions(context.TODO(), projectID, []string{gcpic.CreateGCPFirewallPermission}, installConfig.Config.GCP.Endpoint)
-	if err != nil {
-		return nil, fmt.Errorf("failed to verify firewall rules: %w", err)
-	}
-	if createFwRules {
-		firewallRulesManagementPolicy = capg.RulesManagementManaged
+	firewallRulesManagementPolicy := capg.RulesManagementManaged
+	if installConfig.Config.GCP.FirewallRulesManagement == gcp.UnmanagedFirewallRules {
+		firewallRulesManagementPolicy = capg.RulesManagementUnmanaged
 	}
 
 	gcpCluster := &capg.GCPCluster{
diff --git a/pkg/destroy/gcp/firewall.go b/pkg/destroy/gcp/firewall.go
@@ -30,8 +30,13 @@ func (o *ClusterUninstaller) listFirewalls(ctx context.Context) ([]cloudResource
 // that determines whether a particular result should be returned or not.
 func (o *ClusterUninstaller) listFirewallsWithFilter(ctx context.Context, fields string, filterFunc resourceFilterFunc) ([]cloudResource, error) {
 	o.Logger.Debugf("Listing firewall rules")
+
 	results := []cloudResource{}
 
+	if o.firewallRulesManagement == gcp.UnmanagedFirewallRules {
+		return results, nil
+	}
+
 	findFirewallRules := func(projectID string) ([]cloudResource, error) {
 		ctx, cancel := context.WithTimeout(ctx, defaultTimeout)
 		defer cancel()
diff --git a/pkg/destroy/gcp/gcp.go b/pkg/destroy/gcp/gcp.go
@@ -78,6 +78,8 @@ type ClusterUninstaller struct {
 	// from metadata or by inferring it from existing cluster resources.
 	cloudControllerUID string
 
+	firewallRulesManagement gcptypes.FirewallRulesManagementPolicy
+
 	errorTracker
 	requestIDTracker
 	pendingItemTracker
@@ -92,17 +94,18 @@ func New(logger logrus.FieldLogger, metadata *types.ClusterMetadata) (providers.
 	}
 
 	return &ClusterUninstaller{
-		Logger:               logger,
-		Region:               metadata.ClusterPlatformMetadata.GCP.Region,
-		ProjectID:            metadata.ClusterPlatformMetadata.GCP.ProjectID,
-		NetworkProjectID:     metadata.ClusterPlatformMetadata.GCP.NetworkProjectID,
-		PrivateZoneDomain:    metadata.ClusterPlatformMetadata.GCP.PrivateZoneDomain,
-		PrivateZoneProjectID: privateZoneProjectID,
-		ClusterID:            metadata.InfraID,
-		cloudControllerUID:   gcptypes.CloudControllerUID(metadata.InfraID),
-		requestIDTracker:     newRequestIDTracker(),
-		pendingItemTracker:   newPendingItemTracker(),
-		endpoint:             metadata.ClusterPlatformMetadata.GCP.Endpoint,
+		Logger:                  logger,
+		Region:                  metadata.ClusterPlatformMetadata.GCP.Region,
+		ProjectID:               metadata.ClusterPlatformMetadata.GCP.ProjectID,
+		NetworkProjectID:        metadata.ClusterPlatformMetadata.GCP.NetworkProjectID,
+		PrivateZoneDomain:       metadata.ClusterPlatformMetadata.GCP.PrivateZoneDomain,
+		PrivateZoneProjectID:    privateZoneProjectID,
+		ClusterID:               metadata.InfraID,
+		cloudControllerUID:      gcptypes.CloudControllerUID(metadata.InfraID),
+		requestIDTracker:        newRequestIDTracker(),
+		pendingItemTracker:      newPendingItemTracker(),
+		endpoint:                metadata.ClusterPlatformMetadata.GCP.Endpoint,
+		firewallRulesManagement: metadata.ClusterPlatformMetadata.GCP.FirewallRulesManagement,
 	}, nil
 }
 
diff --git a/pkg/infrastructure/gcp/clusterapi/clusterapi.go b/pkg/infrastructure/gcp/clusterapi/clusterapi.go
@@ -283,18 +283,14 @@ func (p Provider) DestroyBootstrap(ctx context.Context, in clusterapi.BootstrapD
 		return fmt.Errorf("failed to destroy storage: %w", err)
 	}
 
+	if in.Metadata.GCP.FirewallRulesManagement == gcptypes.UnmanagedFirewallRules {
+		return nil
+	}
+
 	projectID := in.Metadata.GCP.ProjectID
 	if in.Metadata.GCP.NetworkProjectID != "" {
 		projectID = in.Metadata.GCP.NetworkProjectID
 	}
-	deleteFwRules, err := icgcp.HasPermissions(ctx, projectID, []string{icgcp.DeleteGCPFirewallPermission}, in.Metadata.GCP.Endpoint)
-	if err != nil {
-		return fmt.Errorf("failed to remove bootstrap firewall rules: %w", err)
-	}
-	if !deleteFwRules {
-		return nil
-	}
-
 	if err := removeBootstrapFirewallRules(ctx, in.Metadata.InfraID, projectID, in.Metadata.GCP.Endpoint); err != nil {
 		return fmt.Errorf("failed to remove bootstrap firewall rules: %w", err)
 	}
diff --git a/pkg/infrastructure/gcp/clusterapi/firewallrules.go b/pkg/infrastructure/gcp/clusterapi/firewallrules.go
@@ -206,11 +206,7 @@ func createFirewallRules(ctx context.Context, in clusterapi.InfraReadyInput, net
 	if in.InstallConfig.Config.GCP.NetworkProjectID != "" {
 		projectID = in.InstallConfig.Config.GCP.NetworkProjectID
 	}
-	createFwRules, err := gcpconfig.HasPermissions(ctx, projectID, []string{gcpconfig.CreateGCPFirewallPermission}, in.InstallConfig.Config.GCP.Endpoint)
-	if err != nil {
-		return fmt.Errorf("failed to create cluster firewall rules: %w", err)
-	}
-	if !createFwRules {
+	if in.InstallConfig.Config.GCP.FirewallRulesManagement == gcptypes.UnmanagedFirewallRules {
 		return nil
 	}
 
@@ -298,11 +294,7 @@ func createBootstrapFirewallRules(ctx context.Context, in clusterapi.InfraReadyI
 	if in.InstallConfig.Config.Platform.GCP.NetworkProjectID != "" {
 		projectID = in.InstallConfig.Config.Platform.GCP.NetworkProjectID
 	}
-	createFwRules, err := gcpconfig.HasPermissions(ctx, projectID, []string{gcpconfig.CreateGCPFirewallPermission}, in.InstallConfig.Config.GCP.Endpoint)
-	if err != nil {
-		return fmt.Errorf("failed to create bootstrap firewall rules: %w", err)
-	}
-	if !createFwRules {
+	if in.InstallConfig.Config.GCP.FirewallRulesManagement == gcptypes.UnmanagedFirewallRules {
 		return nil
 	}
 
diff --git a/pkg/types/gcp/defaults/platform.go b/pkg/types/gcp/defaults/platform.go
@@ -8,6 +8,10 @@ func SetPlatformDefaults(p *gcp.Platform) {
 		return
 	}
 
+	if p.FirewallRulesManagement == "" {
+		p.FirewallRulesManagement = gcp.ManagedFirewallRules
+	}
+
 	if gcpDmp := p.DefaultMachinePlatform; gcpDmp != nil {
 		if ek := gcpDmp.EncryptionKey; ek != nil {
 			if kms := ek.KMSKey; kms != nil {
diff --git a/pkg/types/gcp/metadata.go b/pkg/types/gcp/metadata.go
@@ -2,10 +2,11 @@ package gcp
 
 // Metadata contains GCP metadata (e.g. for uninstalling the cluster).
 type Metadata struct {
-	Region               string       `json:"region"`
-	ProjectID            string       `json:"projectID"`
-	NetworkProjectID     string       `json:"networkProjectID,omitempty"`
-	PrivateZoneDomain    string       `json:"privateZoneDomain,omitempty"`
-	PrivateZoneProjectID string       `json:"privateZoneProjectID,omitempty"`
-	Endpoint             *PSCEndpoint `json:"endpoint,omitempty"`
+	Region                  string                        `json:"region"`
+	ProjectID               string                        `json:"projectID"`
+	NetworkProjectID        string                        `json:"networkProjectID,omitempty"`
+	PrivateZoneDomain       string                        `json:"privateZoneDomain,omitempty"`
+	PrivateZoneProjectID    string                        `json:"privateZoneProjectID,omitempty"`
+	Endpoint                *PSCEndpoint                  `json:"endpoint,omitempty"`
+	FirewallRulesManagement FirewallRulesManagementPolicy `json:"firewallRulesManagement,omitempty"`
 }
diff --git a/pkg/types/gcp/platform.go b/pkg/types/gcp/platform.go
diff --git a/pkg/types/gcp/validation/platform.go b/pkg/types/gcp/validation/platform.go
diff --git a/pkg/types/gcp/validation/platform_test.go b/pkg/types/gcp/validation/platform_test.go

Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,12 @@ func Metadata(config types.InstallConfig) gcp.Metadata {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`return &gcp.Metadata{`
`26`		`- Region: config.Platform.GCP.Region,`
`27`		`- ProjectID: config.Platform.GCP.ProjectID,`
`28`		`- NetworkProjectID: config.Platform.GCP.NetworkProjectID,`
`29`		`- PrivateZoneDomain: privateZoneDomain,`
`30`		`- PrivateZoneProjectID: privateZoneProject,`
`31`		`- Endpoint: config.Platform.GCP.Endpoint,`
	`26`	`+ Region: config.Platform.GCP.Region,`
	`27`	`+ ProjectID: config.Platform.GCP.ProjectID,`
	`28`	`+ NetworkProjectID: config.Platform.GCP.NetworkProjectID,`
	`29`	`+ PrivateZoneDomain: privateZoneDomain,`
	`30`	`+ PrivateZoneProjectID: privateZoneProject,`
	`31`	`+ Endpoint: config.Platform.GCP.Endpoint,`
	`32`	`+ FirewallRulesManagement: config.GCP.FirewallRulesManagement,`
`32`	`33`	`}`
`33`	`34`	`}`