Merge pull request #76407 from barbacbd/OCPBUGS-34129

OCPBUGS-34129: Update Minimal permissions for GCP installs

Author: bscott-rh

modules/minimum-required-permissions-ipi-gcp.adoc

@@ -28,10 +28,16 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.forwardingRules.get`
 * `compute.forwardingRules.list`
 * `compute.forwardingRules.setLabels`
+* `compute.globalAddresses.create`
+* `compute.globalAddresses.get`
+* `compute.globalAddresses.use`
+* `compute.globalForwardingRules.create`
+* `compute.globalForwardingRules.get`
 * `compute.networks.create`
 * `compute.networks.get`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
+* `compute.networks.use`
 * `compute.routers.create`
 * `compute.routers.get`
 * `compute.routers.list`
@@ -47,6 +53,11 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for creating load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.create`
+* `compute.backendServices.get`
+* `compute.backendServices.list`
+* `compute.backendServices.update`
+* `compute.backendServices.use`
 * `compute.regionBackendServices.create`
 * `compute.regionBackendServices.get`
 * `compute.regionBackendServices.list`
@@ -58,6 +69,9 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.targetPools.list`
 * `compute.targetPools.removeInstance`
 * `compute.targetPools.use`
+* `compute.targetTcpProxies.create`
+* `compute.targetTcpProxies.get`
+* `compute.targetTcpProxies.use`
 ====
 
 .Required permissions for creating DNS resources
@@ -140,13 +154,17 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.httpHealthChecks.get`
 * `compute.httpHealthChecks.list`
 * `compute.httpHealthChecks.useReadOnly`
+* `compute.regionHealthChecks.create`
+* `compute.regionHealthChecks.get`
+* `compute.regionHealthChecks.useReadOnly`
 ====
 
 .Required permissions to get GCP zone and region related information
 [%collapsible]
 ====
 * `compute.globalOperations.get`
 * `compute.regionOperations.get`
+* `compute.regions.get`
 * `compute.regions.list`
 * `compute.zoneOperations.get`
 * `compute.zones.get`
@@ -185,10 +203,15 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.addresses.delete`
 * `compute.addresses.deleteInternal`
 * `compute.addresses.list`
+* `compute.addresses.setLabels`
 * `compute.firewalls.delete`
 * `compute.firewalls.list`
 * `compute.forwardingRules.delete`
 * `compute.forwardingRules.list`
+* `compute.globalAddresses.delete`
+* `compute.globalAddresses.list`
+* `compute.globalForwardingRules.delete`
+* `compute.globalForwardingRules.list`
 * `compute.networks.delete`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
@@ -202,10 +225,14 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for deleting load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.delete`
+* `compute.backendServices.list`
 * `compute.regionBackendServices.delete`
 * `compute.regionBackendServices.list`
 * `compute.targetPools.delete`
 * `compute.targetPools.list`
+* `compute.targetTcpProxies.delete`
+* `compute.targetTcpProxies.list`
 ====
 
 .Required permissions for deleting DNS resources
@@ -259,6 +286,8 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.healthChecks.list`
 * `compute.httpHealthChecks.delete`
 * `compute.httpHealthChecks.list`
+* `compute.regionHealthChecks.delete`
+* `compute.regionHealthChecks.list`
 ====
 
 .Required Images permissions for deletion

modules/minimum-required-permissions-upi-gcp.adoc

@@ -29,10 +29,17 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.forwardingRules.get`
 * `compute.forwardingRules.list`
 * `compute.forwardingRules.setLabels`
+* `compute.globalAddresses.create`
+* `compute.globalAddresses.get`
+* `compute.globalAddresses.setLabels`
+* `compute.globalAddresses.use`
+* `compute.globalForwardingRules.create`
+* `compute.globalForwardingRules.get`
 * `compute.networks.create`
 * `compute.networks.get`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
+* `compute.networks.use`
 * `compute.routers.create`
 * `compute.routers.get`
 * `compute.routers.list`
@@ -48,6 +55,11 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for creating load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.create`
+* `compute.backendServices.get`
+* `compute.backendServices.list`
+* `compute.backendServices.update`
+* `compute.backendServices.use`
 * `compute.regionBackendServices.create`
 * `compute.regionBackendServices.get`
 * `compute.regionBackendServices.list`
@@ -59,6 +71,9 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.targetPools.list`
 * `compute.targetPools.removeInstance`
 * `compute.targetPools.use`
+* `compute.targetTcpProxies.create`
+* `compute.targetTcpProxies.get`
+* `compute.targetTcpProxies.use`
 ====
 
 .Required permissions for creating DNS resources
@@ -141,13 +156,18 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.httpHealthChecks.get`
 * `compute.httpHealthChecks.list`
 * `compute.httpHealthChecks.useReadOnly`
+* `compute.regionHealthCheckServices.list`
+* `compute.regionHealthChecks.create`
+* `compute.regionHealthChecks.get`
+* `compute.regionHealthChecks.useReadOnly`
 ====
 
 .Required permissions to get GCP zone and region related information
 [%collapsible]
 ====
 * `compute.globalOperations.get`
 * `compute.regionOperations.get`
+* `compute.regions.get`
 * `compute.regions.list`
 * `compute.zoneOperations.get`
 * `compute.zones.get`
@@ -189,10 +209,15 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.addresses.delete`
 * `compute.addresses.deleteInternal`
 * `compute.addresses.list`
+* `compute.addresses.setLabels`
 * `compute.firewalls.delete`
 * `compute.firewalls.list`
 * `compute.forwardingRules.delete`
 * `compute.forwardingRules.list`
+* `compute.globalAddresses.delete`
+* `compute.globalAddresses.list`
+* `compute.globalForwardingRules.delete`
+* `compute.globalForwardingRules.list`
 * `compute.networks.delete`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
@@ -206,10 +231,14 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for deleting load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.delete`
+* `compute.backendServices.list`
 * `compute.regionBackendServices.delete`
 * `compute.regionBackendServices.list`
 * `compute.targetPools.delete`
 * `compute.targetPools.list`
+* `compute.targetTcpProxies.delete`
+* `compute.targetTcpProxies.list`
 ====
 
 .Required permissions for deleting DNS resources
@@ -263,6 +292,8 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.healthChecks.list`
 * `compute.httpHealthChecks.delete`
 * `compute.httpHealthChecks.list`
+* `compute.regionHealthChecks.delete`
+* `compute.regionHealthChecks.list`
 ====
 
 .Required Images permissions for deletion