-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v2.9] Add ability to specify a service account for a node pool in a GKE cluster #11068
Comments
Will transfer this to dashboard repo for better UI tracking since I don't see direct backend work here. |
Internal reference: SURE-3099 @mantis-toboggan-md recently touched the GKE area and @eva-vashkevich has been looking at service accounts. However, this may require design so need to check with @nwmac and @kwwii if this is more than just a field. |
There will probably (?) be a lot of service accounts, so we should avoid doing a |
@richard-cox just to be clear, for this particular scenario I'm referring to GCP IAM Service Accounts (not to be confused with Kubernetes service accounts). These service accounts are assigned to node pools in order to restrict what GCP services can be accessed from a cluster. I agree with you that potentially this would return a lot of data, however this would need a call to the GCP API from server-side. So we can't use labels or annotations. |
It looks like there may already be an endpoint for the UI to use here, as GKE provisioning v1 included the option to set service accounts for node pools, see ui code here and norman api code here - does this existing API functionality look adequate @yiannistri? |
@mantis-toboggan-md yes that looks adequate 👍 |
Excellent, then it sounds like we're not backend-blocked on this issue. I have a couple more questions @yiannistri:
|
Yes, please use the
You can leave the field blank. Setting it to the "Compute Engine default service account" will have the same effect but it's probably simpler to not set it/set it to an empty string. I also think that that description may be editable by a user. |
The gke-operator (in v2.9) now supports the ability to specify a service account for a node pool. This is an optional field that may be set to an email address of a service account that has limited permissions, for example
test@test-project.iam.gserviceaccount.com
.To set this field, one needs to set the value for field
.spec.nodePools[*].config.serviceAccount
. If not set, the default service account will be used.There is currently no API method that lists the service accounts for a project, that the UI could invoke to help the user pick a service account. Adding such an API is possible but it would require additional permissions for the GKE service account that Rancher uses, i.e. to include theThere is actually an existing endpoint that can be used, proposed in the comments below.roles/iam.serviceAccountViewer
IAM role.Relates to rancher/gke-operator#262
The text was updated successfully, but these errors were encountered: