Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v2.9] Add ability to specify a service account for a node pool in a GKE cluster #11068

Open
yiannistri opened this issue May 21, 2024 · 8 comments
Assignees
Labels
kind/enhancement QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this
Milestone

Comments

@yiannistri
Copy link

yiannistri commented May 21, 2024

The gke-operator (in v2.9) now supports the ability to specify a service account for a node pool. This is an optional field that may be set to an email address of a service account that has limited permissions, for example test@test-project.iam.gserviceaccount.com.

To set this field, one needs to set the value for field .spec.nodePools[*].config.serviceAccount. If not set, the default service account will be used.

There is currently no API method that lists the service accounts for a project, that the UI could invoke to help the user pick a service account. Adding such an API is possible but it would require additional permissions for the GKE service account that Rancher uses, i.e. to include the roles/iam.serviceAccountViewer IAM role. There is actually an existing endpoint that can be used, proposed in the comments below.

Relates to rancher/gke-operator#262

@gaktive
Copy link
Member

gaktive commented May 21, 2024

Will transfer this to dashboard repo for better UI tracking since I don't see direct backend work here.

@gaktive gaktive transferred this issue from rancher/rancher May 21, 2024
@gaktive gaktive added this to the v2.9.0 milestone May 21, 2024
@gaktive
Copy link
Member

gaktive commented May 21, 2024

Internal reference: SURE-3099

@mantis-toboggan-md recently touched the GKE area and @eva-vashkevich has been looking at service accounts. However, this may require design so need to check with @nwmac and @kwwii if this is more than just a field.

@richard-cox
Copy link
Member

There will probably (?) be a lot of service accounts, so we should avoid doing a findAll (almost all will be removed by 2.10.0). @yiannistri are there any other definitive ways to select the applicable accounts, like labels or annotations?

@mantis-toboggan-md mantis-toboggan-md self-assigned this May 21, 2024
@github-actions github-actions bot added QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this and removed JIRA area/gke labels May 21, 2024
@yiannistri
Copy link
Author

@richard-cox just to be clear, for this particular scenario I'm referring to GCP IAM Service Accounts (not to be confused with Kubernetes service accounts). These service accounts are assigned to node pools in order to restrict what GCP services can be accessed from a cluster.

I agree with you that potentially this would return a lot of data, however this would need a call to the GCP API from server-side. So we can't use labels or annotations.

@mantis-toboggan-md
Copy link
Member

It looks like there may already be an endpoint for the UI to use here, as GKE provisioning v1 included the option to set service accounts for node pools, see ui code here and norman api code here - does this existing API functionality look adequate @yiannistri?

@yiannistri
Copy link
Author

@mantis-toboggan-md yes that looks adequate 👍

@mantis-toboggan-md
Copy link
Member

Excellent, then it sounds like we're not backend-blocked on this issue. I have a couple more questions @yiannistri:

  1. That api call returns a list of these objects: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts#ServiceAccount. Your example appears to correspond to the email field; is this what we would using in .spec.nodePools[*].config.serviceAccount?
  2. When the user selects the 'use the default service account' option in the UI, can we leave .spec.nodePools[*].config.serviceAccount blank, or do we need to set the value based off the "Compute Engine default service account" I see returned from this gkeServiceAccounts API call?

@yiannistri
Copy link
Author

yiannistri commented May 22, 2024

  1. That api call returns a list of these objects: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts#ServiceAccount. Your example appears to correspond to the email field; is this what we would using in .spec.nodePools[*].config.serviceAccount?

Yes, please use the email field.

  1. When the user selects the 'use the default service account' option in the UI, can we leave .spec.nodePools[*].config.serviceAccount blank, or do we need to set the value based off the "Compute Engine default service account" I see returned from this gkeServiceAccounts API call?

You can leave the field blank. Setting it to the "Compute Engine default service account" will have the same effect but it's probably simpler to not set it/set it to an empty string. I also think that that description may be editable by a user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this
Projects
Development

No branches or pull requests

4 participants