ccs-gcp-customer-procedure.adoc

Required customer procedure

The Customer Cloud Subscription (CCS) model allows Red Hat to deploy and manage {product-title} into a customer’s Google Cloud Platform (GCP) project. Red Hat requires several prerequisites to provide these services.

Warning

To use {product-title} in your GCP project, the following GCP organizational policy constraints cannot be in place: constraints/iam.allowedPolicyMemberDomains (This policy constraint is supported only if Red Hat’s DIRECTORY_CUSTOMER_ID C02k0l5e8 is included in the allow list. Use this policy constraint with caution). constraints/compute.restrictLoadBalancerCreationForTypes constraints/compute.requireShieldedVm (This policy constraint is supported only if the cluster is installed with "Enable Secure Boot support for Shielded VMs" selected during the initial cluster creation). constraints/compute.vmExternalIpAccess (This policy constraint is supported only after installation).

Procedure

1. Create a Google Cloud project to host the {product-title} cluster.

   Note	The project name must be 10 characters or less.

2. Enable the following required APIs in the project that hosts your {product-title} cluster:

   Table 1. Required API services

   API service	Console service name
   Cloud Deployment Manager V2 API	deploymentmanager.googleapis.com
   Compute Engine API	compute.googleapis.com
   Google Cloud APIs	cloudapis.googleapis.com
   Cloud Resource Manager API	cloudresourcemanager.googleapis.com
   Google DNS API	dns.googleapis.com
   Network Security API	networksecurity.googleapis.com
   IAM Service Account Credentials API	iamcredentials.googleapis.com
   Identity and Access Management (IAM) API	iam.googleapis.com
   Service Management API	servicemanagement.googleapis.com
   Service Usage API	serviceusage.googleapis.com
   Google Cloud Storage JSON API	storage-api.googleapis.com
   Cloud Storage	storage-component.googleapis.com
   Organization Policy API	orgpolicy.googleapis.com

3. To ensure that Red Hat can perform necessary actions, you must create an osd-ccs-admin IAM service account user within the GCP project.

   The following roles must be granted to the service account:

   Table 2. Required roles

   Role	Console role name
   Compute Admin	roles/compute.admin
   DNS Administrator	roles/dns.admin
   Organization Policy Viewer	roles/orgpolicy.policyViewer
   Service Management Administrator	roles/servicemanagement.admin
   Service Usage Admin	roles/serviceusage.serviceUsageAdmin
   Storage Admin	roles/storage.admin
   Compute Load Balancer Admin	roles/compute.loadBalancerAdmin
   Role Viewer	roles/viewer
   Role Administrator	roles/iam.roleAdmin
   Security Admin	roles/iam.securityAdmin
   Service Account Key Admin	roles/iam.serviceAccountKeyAdmin
   Service Account Admin	roles/iam.serviceAccountAdmin
   Service Account User	roles/iam.serviceAccountUser

4. Create the service account key for the osd-ccs-admin IAM service account. Export the key to a file named osServiceAccount.json; this JSON file will be uploaded in {cluster-manager-first} when you create your cluster.