From 41d69855da28b7916e295a9a1459f63bd45f6acd Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Fri, 7 Aug 2020 14:23:37 -0700 Subject: [PATCH] Add prow-deployer service account I would like to be able to run prowjobs in k8s-infra-prow-build-trusted that auto-deploy cluster resources to prow build clusters. So I've setup an account named `prow-deployer` and given it `roles/container.developer` access in the two projects containing prow build clusters --- .../prow-build-trusted/main.tf | 34 +++++++++++++++++++ .../resources/build-serviceaccounts.yaml | 8 +++++ 2 files changed, 42 insertions(+) diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf index ff2646c732f..97a9c72c43a 100644 --- a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf +++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf @@ -30,6 +30,7 @@ locals { pod_namespace = "test-pods" // MUST match whatever prow is configured to use when it schedules to this cluster cluster_sa_name = "prow-build-trusted" // Name of the GSA and KSA that pods use by default gcb_builder_sa_name = "gcb-builder" // Name of the GSA and KSA that pods use to be allowed to run GCB builds and push to GCS buckets + prow_deployer_sa_name = "prow-deployer" // Name of the GSA and KSA that pods use to be allowed to deploy to prow build clusters } module "project" { @@ -89,6 +90,39 @@ resource "google_service_account_iam_policy" "gcb_builder_sa_iam" { policy_data = data.google_iam_policy.gcb_builder_sa_workload_identity.policy_data } +// Create GCP SA for jobs that deploy to k8s-infra prow clusters +resource "google_service_account" "prow_deployer_sa" { + project = local.project_id + account_id = local.prow_deployer_sa_name + display_name = local.prow_deployer_sa_name +} +// Allow pods using the build cluster KSA to use the GCP SA via workload identity +data "google_iam_policy" "prow_deployer_sa_workload_identity" { + binding { + role = "roles/iam.workloadIdentityUser" + + members = [ + "serviceAccount:${local.project_id}.svc.id.goog[${local.pod_namespace}/${local.prow_deployer_sa_name}]", + ] + } +} +// Authoritative iam-policy: replaces any existing policy attached to this service_account +resource "google_service_account_iam_policy" "prow_deployer_sa_iam" { + service_account_id = google_service_account.prow_deployer_sa.name + policy_data = data.google_iam_policy.prow_deployer_sa_workload_identity.policy_data +} + +resource "google_project_iam_member" "prow_deployer_for_prow_build_trusted" { + project = local.project_id + role = "roles/container.developer" + member = "serviceAccount:${local.prow_deployer_sa_name}@${local.project_id}.iam.gserviceaccount.com" +} +resource "google_project_iam_member" "prow_deployer_for_prow_build" { + project = "k8s-infra-prow-build" + role = "roles/container.developer" + member = "serviceAccount:${local.prow_deployer_sa_name}@${local.project_id}.iam.gserviceaccount.com" +} + module "prow_build_cluster" { source = "../../../modules/gke-cluster" project_name = local.project_id diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml index 775b89a18c4..9e29b016ff6 100644 --- a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml +++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml @@ -38,3 +38,11 @@ metadata: iam.gke.io/gcp-service-account: gsuite-groups-manager@k8s-gsuite.iam.gserviceaccount.com name: gsuite-groups-manager namespace: test-pods +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + annotations: + iam.gke.io/gcp-service-account: prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com + name: prow-deployer + namespace: test-pods