Merge pull request #7977 from openshift-cherrypick-robot/cherry-pick-7797-to-enterprise-3.9

Gaurav Nelson · web-flow · commit 342819012431 · 2018-03-01T15:35:26.000+10:00
[enterprise-3.9] Bug#1452816 - fixes - Added required roles and permissions for all cloudproviders
diff --git a/install_config/configuring_aws.adoc b/install_config/configuring_aws.adoc
@@ -18,6 +18,54 @@ volumes as persistent storage] for application data. After AWS is configured
 properly, some additional configurations will need to be completed on the
 {product-title} hosts.
 
+[[configuring-aws-permissions]]
+== Permissions
+Configuring AWS for {product-title} requires the following permissions:
+
+.Master Permissions
+[cols='1,2']
+|===
+
+| Elastic Compute Cloud(EC2)
+|`ec2:DescribeVolume`, `ec2:CreateVolume`, `ec2:CreateTags`,
+`ec2:DescribeInstance`, `ec2:AttachVolume`, `ec2:DetachVolume`,
+`ec2:DeleteVolume`, `ec2:DescribeSubnets`, `ec2:CreateSecurityGroup`,
+`ec2:DescribeSecurityGroups`, `ec2:DescribeRouteTables`,
+`ec2:AuthorizeSecurityGroupIngress`
+
+| Elastic Load Balancing
+| `elasticloadbalancing:DescribeTags`,
+`elasticloadbalancing:CreateLoadBalancerListeners`,
+`elasticloadbalancing:ConfigureHealthCheck`,
+`elasticloadbalancing:DeleteLoadBalancerListeners`,
+`elasticloadbalancing:RegisterInstancesWithLoadBalancer`,
+`elasticloadbalancing:DescribeLoadBalancers`,
+`elasticloadbalancing:CreateLoadBalancer`,
+`elasticloadbalancing:DeleteLoadBalancer`,
+`elasticloadbalancing:ModifyLoadBalancerAttributes`,
+`elasticloadbalancing:DescribeLoadBalancerAttributes`
+
+|===
+
+.Node Permissions
+[cols='1,2']
+|===
+
+| Elastic Compute Cloud(EC2)
+| `ec2:DescribeInstance*`
+
+|===
+
+[IMPORTANT]
+====
+* Every master, node, and subnet must have the `KubernetesCluster: value` tag.
+* One security group, preferably the one linked to the nodes, must have the
+`KubernetesCluster: value` tag.
+ ** Do not tag all security groups with the `KubernetesCluster: value` tag or the
+Elastic Load Balancing (ELB) will not be able to create a load balancer.
+
+====
+
 [[configuring-aws-variables]]
 == Configuring AWS Variables
 
@@ -152,12 +200,12 @@ container. Therefore, *_aws.conf_* should be in *_/etc/origin/_* instead of
 
 Make sure the following environment variables are set in the
 ifdef::openshift-enterprise[]
-*_/etc/sysconfig/atomic-openshift-master-api_* file and 
+*_/etc/sysconfig/atomic-openshift-master-api_* file and
 *_/etc/sysconfig/atomic-openshift-master-containers_* file on masters and the
 *_/etc/sysconfig/atomic-openshift-node_* file on nodes:
 endif::[]
 ifdef::openshift-origin[]
-*_/etc/sysconfig/origin-master-api_* file and 
+*_/etc/sysconfig/origin-master-api_* file and
 *_/etc/sysconfig/origin-master-containers_* file on masters and the
 *_/etc/sysconfig/origin-node_* file on nodes:
 endif::[]
diff --git a/install_config/configuring_azure.adoc b/install_config/configuring_azure.adoc
@@ -19,6 +19,18 @@ Azure disk as persistent storage] for application data. After Azure is
 configured properly, some additional configurations need to be completed on the
 {product-title} hosts.
 
+[[configuring-azure-permissions]]
+== Permissions
+Configuring Azure for {product-title} requires the following role:
+
+[cols='1,3']
+|===
+
+| Contributor
+| To create and manage all types of Azure resources.
+
+|===
+
 [[azure-configuration-file]]
 == The Azure Configuration File
 
diff --git a/install_config/configuring_gce.adoc b/install_config/configuring_gce.adoc
@@ -18,6 +18,19 @@ volumes as persistent storage] for application data. After GCE is configured
 properly, some additional configurations will need to be completed on the
 {product-title} hosts.
 
+[[configuring-gcp-permissions]]
+== Permissions
+Configuring Google Cloud Platform (GCP) for {product-title} requires the following role:
+
+[cols='1,3']
+|===
+
+| roles/owner
+| To create service accounts, cloud storage, instances, images, templates, Cloud
+DNS entries, and deploy load balancers and health checks. It is helpful to also
+have `delete` permissions to be able to redeploy the environment while testing.
+
+|===
 
 [[gce-configuring-masters]]
 == Configuring Masters
diff --git a/install_config/configuring_openstack.adoc b/install_config/configuring_openstack.adoc
@@ -15,6 +15,19 @@ When deployed on link:https://www.openstack.org/[OpenStack], {product-title} can
 be configured to access OpenStack infrastructure, including
 xref:../install_config/persistent_storage/persistent_storage_cinder.adoc#install-config-persistent-storage-persistent-storage-cinder[using OpenStack Cinder volumes as persistent storage] for application data.
 
+[[configuring-openstack-permissions]]
+== Permissions
+Configuring OpenStack for {product-title} requires the following role:
+
+[cols='1,3']
+|===
+
+| member
+| For creating assets(instances, networking ports, floating ips, volumes, and so
+on.) you need the member role for the tenant.
+
+|===
+
 [[configuring-openstack-variables]]
 == Configuring OpenStack Variables
 To set the required OpenStack variables, create a *_/etc/cloud.conf_* file with
