-
Notifications
You must be signed in to change notification settings - Fork 0
K8s Access
Andy Potanin edited this page Jun 21, 2026
·
3 revisions
Provisions a Kubernetes namespace with service account, RBAC, CRD discovery, and kubeconfig stored in Secret Manager.
Use this module when onboarding a new tenant to the shared Rabbit GKE cluster. It creates the namespace, service account, role bindings, and stores the kubeconfig in GCP Secret Manager so that subsequent modules can authenticate to the cluster.
- Namespace creation with
gateway-accesslabel for shared Gateway API routing. - Kubernetes service account with GCP Workload Identity annotation.
- Role and RoleBinding for pods, services, configmaps, secrets, deployments, replicasets, statefulsets, HPAs, PDBs, HTTPRoutes, and HealthCheckPolicies.
- ClusterRole and ClusterRoleBinding for CRD discovery.
- Service account token secret.
- Kubeconfig stored in GCP Secret Manager (
k8s-config-<cluster>-<namespace>). - SA token stored in GCP Secret Manager (
k8s-sa-token-<cluster>-<namespace>). - Granular Secret Manager access grants for shared platform secrets.
- Firebase Admin grant on the cluster project.
- GCP credentials with permission to manage GKE, Secret Manager, and IAM.
- A GKE cluster provisioned by
gcp-gke-cluster. - Service accounts for both infrastructure (R2A) and application (worker-site).
- This module must run from
rabbit-infrabefore any tenant repo deployment. Tenant repos depend on the kubeconfig secret created here. -
service_account_email_infrais the R2A service account that getssecretAccessoron the kubeconfig secret. -
service_account_email_appis the runtime service account annotated on the Kubernetes SA for Workload Identity. - The module grants access to a fixed set of shared secrets:
GITHUB_DEPLOY_KEY,RABBIT_GHT,NEW_RELIC_LICENSE_KEY,SLACK_WEBHOOK_URL, andaws-cache-invalidation-service-account.
services:
- name: "k8s access configurations"
module: "k8s-access"
id: "k8s-access-www-example-com"
deployment_order: 80
configurations:
namespace: "www-example-com"
gke_cluster_location: "us-central1"
cluster_project_id: "rabbit-cdmsqarskcacnbpe"
client_project_id: "example-com"
service_account_email_infra: "rabbit-automation-action@example-com.iam.gserviceaccount.com"
service_account_email_app: "worker-site@example-com.iam.gserviceaccount.com"
gke_cluster_name: "rabbit-v5-1"| Output | Description |
|---|---|
namespace |
The created namespace name. |
cluster_host |
The cluster API server URL. |
service_account_name |
The created Kubernetes service account name. |
The fields below are public module inputs under configurations.
configurations:
namespace: "www-example-com"
gke_cluster_location: "us-central1"
cluster_project_id: ""
client_project_id: ""
service_account_email_infra: ""
service_account_email_app: ""
gke_cluster_name: "rabbit-v5-1"
gateway_access_label: "shared"
secret_labels:
creator: "automation"
r2a_module: "k8s-access"| Field | Type | Required | Description |
|---|---|---|---|
namespace |
string | Yes | Kubernetes namespace name. Convention is www-<domain-dashed>. |
gke_cluster_location |
string | Yes | GKE cluster region. |
cluster_project_id |
string | Yes | GCP project ID of the GKE cluster (typically rabbit-cdmsqarskcacnbpe). |
client_project_id |
string | Yes | GCP project ID of the tenant. |
service_account_email_infra |
string | Yes | R2A service account email for the tenant project. |
service_account_email_app |
string | Yes | Runtime service account email for Workload Identity. |
gke_cluster_name |
string | Yes | GKE cluster name. |
gateway_access_label |
string | No | Label value for gateway-access on the namespace. Defaults to shared. |
secret_labels |
map[string] | No | Labels for Secret Manager secrets. |
- AWS ACM Certificate
- AWS CloudFormation Stack
- AWS CloudFront Distribution
- AWS CloudFront Response Headers Policy
- AWS Route53 DNS
- AWS WAF
- GCP GKE Cluster
- GCP GKE Node Pool
- GCP IAM
- GCP Monitoring
- GCP Networking
- GCP PostgreSQL Instance
- GCP Secret Manager
- GCP SQL Instance
- GCP Static IP
- GCP Storage
- Ghost Inspector Sync
- K8s Access
- K8s ConfigMap
- K8s Deployment
- K8s HPA
- K8s HTTP Gateway Route
- K8s HTTP Health Check Policy
- K8s Memcached
- K8s Namespace
- K8s PDB
- K8s Secret
- K8s Service
- K8s Shared HTTP Gateway
- NewRelic APM Browser
- NewRelic Synthetic Monitors