-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Create least privilege default service account #1757
feat!: Create least privilege default service account #1757
Conversation
/gcbrun |
@apeabody Can I get what failed in the cloud build check? |
/gcbrun |
re-triggered the check |
Hi Good Day! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @abhikaddy!
As this permissions reduction could be a breaking change for some users, can you please add a quick update note regarding the change to docs/upgrading_to_v29.0.md
, similar to those in https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/docs
Hi @apeabody, As requested, added docs/upgrading_to_v29.0.md. Thanks. |
/gcbrun |
Co-authored-by: Andrew Peabody <[email protected]>
/gcbrun |
/gcbrun |
Are we supposed to create |
That role exists, but it's not visible in GCP Console. It seems that it was deprecated (and hidden?).
This role is also not mentioned here: P.s. |
Opened #1827 |
There is a new role named $ gcloud iam roles describe roles/container.nodeServiceAgent
description: Minimal set of permission required by a GKE node to support standard
capabilities such as logging and monitoring export, and image pulls.
etag: AA==
includedPermissions:
- autoscaling.sites.writeMetrics
- logging.logEntries.create
- monitoring.metricDescriptors.create
- monitoring.metricDescriptors.list
- monitoring.timeSeries.create
- monitoring.timeSeries.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.use
- storage.objects.get
- storage.objects.list
name: roles/container.nodeServiceAgent
stage: GA
title: Kubernetes Engine Node Service Agent |
Is there any source that I can refer to? I thought service agent type of iam service accounts are created by GCP used internally only. |
@shinebayar-g You are right. Service Agent roles should not be granted to any principal except service agents:
|
Ok, you are both right. Agent roles should be used only for Agents, which in this case is probably just Autopilot node agent account. I just got a message from Google representative that there is currently running effort updating this recommendation and there is new The list of permissions is shorter than in the old role, so I'm little bit scared of using it 🙂 $ gcloud iam roles describe roles/container.defaultNodeServiceAccount
description: Least privilege role to use as the default service account for GKE Nodes.
etag: AA==
includedPermissions:
- autoscaling.sites.writeMetrics
- logging.logEntries.create
- monitoring.metricDescriptors.create
- monitoring.metricDescriptors.list
- monitoring.timeSeries.create
- monitoring.timeSeries.list
- stackdriver.resourceMetadata.write
name: roles/container.defaultNodeServiceAccount
stage: ALPHA
title: Kubernetes Engine Default Node Service Account Also I came across another docs page which is suggesting usage of 5 different roles. So I'm confused now 😕 |
This update follows changes from terraform-google-modules#1757 and reverts terraform-google-modules#1827. The role `roles/container.nodeServiceAccount` is deprecated now and it is replaced with new `roles/container.defaultNodeServiceAccount` role. Unfortunately this is not yet documented in Google docs. As the scope of the new role is smaller than the old one, this should be considered breaking change.
I received confirmation from Google representative that the new role should be ok to use, so I prepared #1844.
|
Maybe I'm an outlier here, but anybody else feel a little uneasy switching to a new SA? That's currently, in ALPHA, and there is zero documentation on the new role? Perhaps, we shouldn't switch to using new roles that are still in ALPHA? |
Is there any downtime for the SA recreation for existing clusters? I simply want to upgrade the google provider... |
No downtime. |
Attempting to fix #1416
Fixes #1416