Create least privilege default service account

[jawnsy]

TL;DR

safer-cluster previously used GKE's recommendations for a minimal service account, but a new "Kubernetes Engine Node Service Account" has since been introduced and it may be preferable to use that instead

Terraform Resources

No response

Detailed design

Change the created service account to use the single roles/container.nodeServiceAccount role, rather than the four roles we are currently using (roles/logging.logWriter, roles/monitoring.metricWriter, roles/monitoring.viewer, roles/stackdriver.resourceMetadata.writer):

terraform-google-kubernetes-engine/modules/beta-private-cluster-update-variant/sa.tf

Lines 46 to 71 in 92d7c67

	resource "google_project_iam_member" "cluster_service_account-log_writer" {
	count = var.create_service_account ? 1 : 0
	project = google_service_account.cluster_service_account[0].project
	role = "roles/logging.logWriter"
	member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
	}
	resource "google_project_iam_member" "cluster_service_account-metric_writer" {
	count = var.create_service_account ? 1 : 0
	project = google_project_iam_member.cluster_service_account-log_writer[0].project
	role = "roles/monitoring.metricWriter"
	member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
	}
	resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
	count = var.create_service_account ? 1 : 0
	project = google_project_iam_member.cluster_service_account-metric_writer[0].project
	role = "roles/monitoring.viewer"
	member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
	}
	resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
	count = var.create_service_account ? 1 : 0
	project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
	role = "roles/stackdriver.resourceMetadata.writer"
	member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

Additional information

Changing the defaults would technically be a breaking change, but breaking changes that improve security are usually excluded from compatibility guidelines. If users want to preserve the existing behavior, they can grant the service account necessary permissions. Most clusters should not need to use the node service account for anything, instead relying on workload identity for individual service-scoped permissions

[bharathkkb]

Thanks for the suggestion. This is definitely something we can add and it would help maintainability too as we don't need to keep track of newer roles as the product evolves.

[jawnsy]

@bharathkkb I'm happy to open a PR for this - are you okay with the approach of a "breaking" change of removing the now-unnecessary roles?