Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a service account for nodes if one isn't provided. #2

Closed
morgante opened this issue Aug 30, 2018 · 5 comments
Closed

Create a service account for nodes if one isn't provided. #2

morgante opened this issue Aug 30, 2018 · 5 comments
Assignees
@Jberlinsky
Labels
enhancement New feature or request

Comments

@morgante
Copy link
Contributor

morgante commented Aug 30, 2018
edited

We need a holistic solution here which permanently removes the dependency on the default service account. Including:

  1. Adding a top-level variable of service_account which accepts three values:
    a. the email of a custom Service Account,
    b. default-compute (the default compute service account), or
    c. create - automatically creates a service account for use

This top-level service account will be default for all node pools which don't explicitly provided.

These flags can optionally be implemented incrementally.
@morgante morgante added the enhancement New feature or request label Aug 30, 2018
@morgante morgante mentioned this issue Oct 25, 2018
Closed
@morgante morgante mentioned this issue Dec 14, 2018
Closed
@Jberlinsky
Copy link
Contributor

@morgante Picking this up.

One quick clarification -- I read this as create should create a service account for the cluster for use, that is to say that it will have the cluster name in the service account ID. Please let me know if you had something else in mind.

@Jberlinsky Jberlinsky self-assigned this Dec 18, 2018
@morgante
Copy link
Contributor Author

morgante commented Dec 18, 2018 via email

@morgante
Copy link
Contributor Author

One addendum: I would still like us to do some discovery on why a service account is even required. GCE VMs do not all require service accounts, so it's not clear why the module would break without a service account at all.

@Jberlinsky Jberlinsky mentioned this issue Dec 20, 2018
Merged
2 tasks
@Jberlinsky
Copy link
Contributor

Based on https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa, the service account is necessary to enable Stackdriver for monitoring and logging, and pulling images from GCR.

@Jberlinsky Jberlinsky mentioned this issue Feb 13, 2019
Merged
@aaron-lane
Copy link
Contributor

Fixed by #80.

mmontan added a commit to mmontan/terraform-google-kubernetes-engine that referenced this issue Sep 30, 2019
@mmontan
# This is a combination of 6 commits.
1cf47ca 
# This is the 1st commit message:

Initial definition of a Safer Cluster module.

# This is the commit message terraform-google-modules#2:

Add a sample for using the safer-cluster module.

# This is the commit message terraform-google-modules#3:

Add a test kitchen instance

# This is the commit message terraform-google-modules#4:

Formatting TF files.

# This is the commit message terraform-google-modules#5:

Add a test for the safer-cluster module

# This is the commit message terraform-google-modules#6:

Additional fixes
morgante pushed a commit that referenced this issue Oct 29, 2019
@chrissng
Merge pull request #2 from terraform-google-modules/master
9e602cb 
Merge from master
morgante pushed a commit that referenced this issue Nov 20, 2019
@bharathkkb
Merge pull request #2 from terraform-google-modules/master
be5e130 
update
@yuatgoogle yuatgoogle mentioned this issue Aug 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jberlinsky Jberlinsky

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Jberlinsky @morgante @aaron-lane