Annotate grandmatriarch service-account #224
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, fejta The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow us-west1-a prow default grandmatriarch oss-prow@oss-prow.iam.gserviceaccount.com
ALREADY MEMBER: serviceAccount:oss-prow.svc.id.goog[default/grandmatriarch] has roles/iam.workloadIdentityUser for oss-prow@oss-prow.iam.gserviceaccount.com.
+++ kubectl run --rm=true -i --generator=run-pod/v1 --context=gke_oss-prow_us-west1-a_prow --namespace=default --serviceaccount=grandmatriarch --image=google/cloud-sdk:slim workload-identity-test-22
DONE: --context=gke_oss-prow_us-west1-a_prow --namespace=default serviceaccounts/grandmatriarch acts as oss-prow@oss-prow.iam.gserviceaccount.com
fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow us-west1-a prow test-pods grandmatriarch oss-prow@oss-prow.iam.gserviceaccount.com
+ gcloud iam service-accounts add-iam-policy-binding --project=oss-prow --role=roles/iam.workloadIdentityUser '--member=serviceAccount:oss-prow.svc.id.goog[test-pods/grandmatriarch]' oss-prow@oss-prow.iam.gserviceaccount.com
Updated IAM policy for serviceAccount [oss-prow@oss-prow.iam.gserviceaccount.com].
Sleeping 2m to allow credentials to propagate..
+++ kubectl run --rm=true -i --generator=run-pod/v1 --context=gke_oss-prow_us-west1-a_prow --namespace=test-pods --serviceaccount=grandmatriarch --image=google/cloud-sdk:slim workload-identity-test-06
DONE: --context=gke_oss-prow_us-west1-a_prow --namespace=test-pods serviceaccounts/grandmatriarch acts as oss-prow@oss-prow.iam.gserviceaccount.com |
fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/enable-workload-identity.sh oss-prow-builds us-west1-a prow
++ gcloud beta container clusters describe prow '--format=value(workloadIdentityConfig.identityNamespace)' --project=oss-prow-builds --zone=us-west1-a
++ gcloud beta container node-pools list --cluster=prow '--format=value(name,config.workloadMetadataConfig.nodeMetadata)' --project=oss-prow-builds --zone=us-west1-a
Enable workload identity on:
cluster: prow
pool: default-pool
Proceed [y/N]:y
+ gcloud beta container clusters update prow --identity-namespace=oss-prow-builds.svc.id.goog --project=oss-prow-builds --zone=us-west1-a
Updating prow...done.
Updated [https://container.googleapis.com/v1beta1/projects/oss-prow-builds/zones/us-west1-a/clusters/prow].
To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-west1-a/prow?project=oss-prow-builds
+ gcloud beta container node-pools update --cluster=prow default-pool --workload-metadata-from-node=GKE_METADATA_SERVER --project=oss-prow-builds --zone=us-west1-a
Updating node pool default-pool... Done with 0 out of 3 nodes (0.0%): 1 being p
rocessed...⠼
Updating node pool default-pool... Done with 1 out of 3 nodes (33.3%): 1 being
processed, 1 succeeded...⠼
Updating node pool default-pool... Done with 2 out of 3 nodes (66.7%): 1 being
processed, 2 succeeded...⠛
Updating node pool default-pool... Done with 3 out of 3 nodes (100.0%): 3 succe
eded...done.
Updated [https://container.googleapis.com/v1beta1/projects/oss-prow-builds/zones/us-west1-a/clusters/prow/nodePools/default-pool].
DONE
fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow-builds us-west1-a prow test-pods grandmatriarch oss-prow@oss-prow.iam.gserviceaccount.com
+ gcloud iam service-accounts add-iam-policy-binding --project=oss-prow --role=roles/iam.workloadIdentityUser '--member=serviceAccount:oss-prow-builds.svc.id.goog[test-pods/grandmatriarch]' oss-prow@oss-prow.iam.gserviceaccount.com
Updated IAM policy for serviceAccount [oss-prow@oss-prow.iam.gserviceaccount.com].
Sleeping 2m to allow credentials to propagate..
+++ kubectl run --rm=true -i --generator=run-pod/v1 --context=gke_oss-prow-builds_us-west1-a_prow --namespace=test-pods --serviceaccount=grandmatriarch --image=google/cloud-sdk:slim workload-identity-test-15
DONE: --context=gke_oss-prow-builds_us-west1-a_prow --namespace=test-pods serviceaccounts/grandmatriarch acts as oss-prow@oss-prow.iam.gserviceaccount.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ref #202
This will allow me to bind the service accounts together and send a PR to switch it over to using workload-identity