Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create and use non-default service accounts in GKE #3123

Merged
merged 1 commit into from
Oct 15, 2024
Merged

Create and use non-default service accounts in GKE #3123

merged 1 commit into from
Oct 15, 2024

Conversation

annuay-google
Copy link
Contributor

@annuay-google annuay-google commented Oct 11, 2024
edited
Loading

Approach

  • Allow user to create new SA from blueprint and use the same in cluster and node pool
  • Do not fetch default SA from a data source, instead construct using project id
  • User can pass a pre existing SA with appropriate permissions. Checking for the right permissions is not in the scope of this PR and will be covered in a follow up PR

Testing

  • Deployed hpc-gke.yaml with non default new SA and verified provisioning and destruction, and that SA with appropriate roles was created. Verified all node pools used the SA specified
  • Deployed hpc-gke.yaml with non default pre-existing SA and verified provisioning and destruction, and that no new SA was created. Verified all node pools used the SA specified
  • Deployed hpc-gke.yaml with no SA passed. Verified default SA was used in all node pools
  • Verified all GKE integration tests passed
  • Verified logs are pushed from k8s pods and visible in GCP logging from Pantheon

User Guide

Create and use new SA (one per node pool) - recommended

Check updated example blueprints

Use pre-existing SA

  - id: gke_cluster
    source: modules/scheduler/gke-cluster
    use: [network1]
    settings:
      enable_private_endpoint: false  # Allows for access from authorized public IPs
      service_account_email: ml-01-gke-sa@ns-playground-a.iam.gserviceaccount.com
    outputs: [instructions]

  - id: compute_pool
    source: modules/compute/gke-node-pool
    use: [gke_cluster]
    settings:
      service_account_email: ml-01-gke-sa@ns-playground-a.iam.gserviceaccount.com

Use default SA

  - id: gke_cluster
    source: modules/scheduler/gke-cluster
    use: [network1]
    settings:
      enable_private_endpoint: false  # Allows for access from authorized public IPs
    outputs: [instructions]

  - id: compute_pool
    source: modules/compute/gke-node-pool
    use: [gke_cluster]

Submission Checklist

NOTE: Community submissions can take up to 2 weeks to be reviewed.

Please take the following actions before submitting this pull request.

  • Fork your PR branch from the Toolkit "develop" branch (not main)
  • Test all changes with pre-commit in a local branch #
  • Confirm that "make tests" passes all tests
  • Add or modify unit tests to cover code changes
  • Ensure that unit test coverage remains above 80%
  • Update all applicable documentation
  • Follow Cluster Toolkit Contribution guidelines #

@annuay-google annuay-google changed the base branch from main to develop October 11, 2024 10:50
@annuay-google annuay-google marked this pull request as draft October 11, 2024 10:50
@annuay-google annuay-google added the release-improvements Added to release notes under the "Improvements" heading. label Oct 14, 2024
@annuay-google annuay-google self-assigned this Oct 14, 2024
@annuay-google annuay-google marked this pull request as ready for review October 14, 2024 07:49
ankitkinra
ankitkinra approved these changes Oct 14, 2024
View reviewed changes
examples/ml-gke.yaml Show resolved Hide resolved
@annuay-google annuay-google force-pushed the annuay/construct-service-account-email-gke branch 5 times, most recently from 0feef97 to df8f774 Compare October 14, 2024 23:33
@annuay-google annuay-google force-pushed the annuay/construct-service-account-email-gke branch from df8f774 to b3dd7d9 Compare October 14, 2024 23:36
@annuay-google annuay-google merged commit 145f8dd into GoogleCloudPlatform:develop Oct 15, 2024
8 of 54 checks passed
@annuay-google annuay-google deleted the annuay/construct-service-account-email-gke branch October 15, 2024 00:04
@harshthakkar01 harshthakkar01 mentioned this pull request Oct 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharabiani sharabiani sharabiani left review comments

@ankitkinra ankitkinra ankitkinra approved these changes

Assignees

@annuay-google annuay-google

Labels
release-improvements Added to release notes under the "Improvements" heading.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@annuay-google @ankitkinra @sharabiani