Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add prow-deployer service account #1126

Merged
merged 1 commit into from
Aug 7, 2020
Merged

Add prow-deployer service account #1126

merged 1 commit into from
Aug 7, 2020

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented Aug 7, 2020

I would like to be able to run prowjobs in k8s-infra-prow-build-trusted
that auto-deploy cluster resources to prow build clusters.

So I've setup an account named prow-deployer and given it
roles/container.developer access in the two projects containing prow
build clusters

part of #845

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 7, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. wg/k8s-infra labels Aug 7, 2020
@spiffxp
Copy link
Member Author

spiffxp commented Aug 7, 2020

I believe roles/container.developer is sufficient privileges to run kubernetes/test-infra#18739

@spiffxp
Add prow-deployer service account
41d6985 
I would like to be able to run prowjobs in k8s-infra-prow-build-trusted
that auto-deploy cluster resources to prow build clusters.

So I've setup an account named `prow-deployer` and given it
`roles/container.developer` access in the two projects containing prow
build clusters
@spiffxp
Copy link
Member Author

spiffxp commented Aug 7, 2020

terraform plan says:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_project_iam_member.prow_deployer_for_prow_build will be created
  + resource "google_project_iam_member" "prow_deployer_for_prow_build" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "serviceAccount:prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
      + project = "k8s-infra-prow-build"
      + role    = "roles/container.developer"
    }

  # google_project_iam_member.prow_deployer_for_prow_build_trusted will be created
  + resource "google_project_iam_member" "prow_deployer_for_prow_build_trusted" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "serviceAccount:prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
      + project = "k8s-infra-prow-build-trusted"
      + role    = "roles/container.developer"
    }

  # google_service_account.prow_deployer_sa will be created
  + resource "google_service_account" "prow_deployer_sa" {
      + account_id   = "prow-deployer"
      + display_name = "prow-deployer"
      + email        = (known after apply)
      + id           = (known after apply)
      + name         = (known after apply)
      + project      = "k8s-infra-prow-build-trusted"
      + unique_id    = (known after apply)
    }

  # google_service_account_iam_policy.prow_deployer_sa_iam will be created
  + resource "google_service_account_iam_policy" "prow_deployer_sa_iam" {
      + etag               = (known after apply)
      + id                 = (known after apply)
      + policy_data        = jsonencode(
            {
              + bindings = [
                  + {
                      + members = [
                          + "serviceAccount:k8s-infra-prow-build-trusted.svc.id.goog[test-pods/prow-deployer]",
                        ]
                      + role    = "roles/iam.workloadIdentityUser"
                    },
                ]
            }
        )
      + service_account_id = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

@spiffxp
Copy link
Member Author

spiffxp commented Aug 7, 2020

Confirmed that roles/container.developer is what the deployer@k8s-prow service account uses

$ gcloud projects get-iam-policy k8s-prow
# ...
- members:
  - serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com
  role: roles/container.developer
$ gcloud projects get-iam-policy k8s-prow-builds
# ...
- members:
  - serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com
  - serviceAccount:prow-build-service@k8s-prow-builds.iam.gserviceaccount.com
  role: roles/container.developer

Which is the service account used to update prow via post-test-infra-deploy-prow and boskos via post-test-infra-upload-boskos-config

@BenTheElder
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 7, 2020
@k8s-ci-robot k8s-ci-robot merged commit b83bb80 into kubernetes:master Aug 7, 2020
@spiffxp spiffxp deleted the add-prow-deployer-svcacct branch August 7, 2020 21:46
@spiffxp
Copy link
Member Author

spiffxp commented Aug 7, 2020

And a terraform apply later

google_service_account.prow_deployer_sa: Creating...
google_project_iam_member.prow_deployer_for_prow_build: Creating...
google_project_iam_member.prow_deployer_for_prow_build_trusted: Creating...
google_service_account.prow_deployer_sa: Creation complete after 2s [id=projects/k8s-infra-prow-build-trusted/serviceAccounts/prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]
google_service_account_iam_policy.prow_deployer_sa_iam: Creating...
google_service_account_iam_policy.prow_deployer_sa_iam: Creation complete after 1s [id=projects/k8s-infra-prow-build-trusted/serviceAccounts/prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]
google_project_iam_member.prow_deployer_for_prow_build_trusted: Creation complete after 9s [id=k8s-infra-prow-build-trusted/roles/container.developer/serviceaccount:prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]
google_project_iam_member.prow_deployer_for_prow_build: Creation complete after 9s [id=k8s-infra-prow-build/roles/container.developer/serviceaccount:prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

@spiffxp
Copy link
Member Author

spiffxp commented Aug 7, 2020
edited
Loading

Manually deployed the service account

spiffxp@cloudshell:~/k8s.io/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted (k8s-infra-prow-build-truted)\
$ k --context=gke_k8s-infra-prow-build-trusted_us-central1_prow-build-trusted apply -f resources
serviceaccount/prow-build-trusted unchanged
serviceaccount/k8s-infra-gcp-auditor unchanged
serviceaccount/gcb-builder unchanged
serviceaccount/k8s-infra-dns-updater unchanged
serviceaccount/gsuite-groups-manager unchanged
serviceaccount/prow-deployer created
namespace/test-pods unchanged

@spiffxp spiffxp added the area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters label Aug 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartsmykla bartsmykla Awaiting requested review from bartsmykla

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@BenTheElder BenTheElder

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@spiffxp @k8s-ci-robot @BenTheElder