* Enable the ResourceManager API; this is used to get IAM policies

* Add IAM roles to the cloudservices account.
kubeflow · May 18, 2018 · cb334c0 · cb334c0
1 parent 085247d
commit cb334c0
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/docs/gke/configs/cluster.jinja b/docs/gke/configs/cluster.jinja
@@ -150,6 +150,54 @@ e.g. creating namespaces, service accounts, stateful set to run the bootstrapper
     descriptorUrl: https://$(ref.{{ CLUSTER_NAME }}.endpoint)/swaggerapi/{{ endpoint }}
 {% endfor %}
 
+{# Enable the resource manager API. This is needed below to get IAM policy.
+ If activating multiple APIs you might want to serialize them.
+ #}
+- name: resource-manager-api
+  type: deploymentmanager.v2.virtual.enableService
+  properties: 
+    consumerId: {{ 'project:' + env['project'] }}
+    serviceName: cloudresourcemanager.googleapis.com
+
+{# Get the IAM policy first so that we do not remove any existing bindings. #}
+- name: get-iam-policy
+  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
+  properties: 
+    resource: {{ env['project'] }}
+
+  metadata:
+    dependsOn:
+      - resource-manager-api
+    runtimePolicy: 
+      - UPDATE_ALWAYS 
+
+{# Set the IAM policy patching the existing policy with what ever is currently in the
+  config. 
+
+  We need to make the cloudservices account a GKE cluster admin because deployment manager
+  users the cloudservices account; so this will be the identity used with the K*s cluster.
+
+  Note: This will fail if the cloudservices account doesn't have IamProjectAdmin
+  permissions.
+#}
+- name: patch-iam-policy
+  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
+  properties: 
+    resource: {{ env['project'] }}
+    policy: $(ref.get-iam-policy)
+    gcpIamPolicyPatch:
+      add: 
+        - role: roles/container.admin
+          members:
+            - {{ 'serviceAccount:' + env['project_number'] + '@cloudservices.gserviceaccount.com' }}
+      remove: []
+
+  metadata:
+    dependsOn:
+      - get-iam-policy
+    runtimePolicy: 
+      - UPDATE_ALWAYS 
+
 {#  Namespace for bootstrapper. #}
 - name: admin-namespace
   type: {{ CLUSTER_TYPE_API_V1 }}:{{ NAMESPACE_COLLECTION }}