Skip to content

K8s Access

udx-github edited this page Jul 3, 2026 · 3 revisions

Provisions a Kubernetes namespace with service account, RBAC, CRD discovery, and kubeconfig stored in Secret Manager.

Use this module when onboarding a new tenant to the shared Rabbit GKE cluster. It creates the namespace, service account, role bindings, and stores the kubeconfig in GCP Secret Manager so that subsequent modules can authenticate to the cluster.

Supported Features

  • Namespace creation with gateway-access label for shared Gateway API routing.
  • Kubernetes service account with GCP Workload Identity annotation.
  • Role and RoleBinding for pods, services, configmaps, secrets, deployments, replicasets, statefulsets, HPAs, PDBs, HTTPRoutes, and HealthCheckPolicies.
  • ClusterRole and ClusterRoleBinding for CRD discovery.
  • Service account token secret.
  • Kubeconfig stored in GCP Secret Manager (k8s-config-<cluster>-<namespace>).
  • SA token stored in GCP Secret Manager (k8s-sa-token-<cluster>-<namespace>).
  • Granular Secret Manager access grants for shared platform secrets.
  • Firebase Admin grant on the cluster project.

Prerequisites

  • GCP credentials with permission to manage GKE, Secret Manager, and IAM.
  • A GKE cluster provisioned by gcp-gke-cluster.
  • Service accounts for both infrastructure deployment and application runtime.

Important Notes

  • This module must run before tenant application deployments. Tenant deployments depend on the kubeconfig secret created here.
  • service_account_email_infra is the R2A service account that gets secretAccessor on the kubeconfig secret.
  • service_account_email_app is the runtime service account annotated on the Kubernetes SA for Workload Identity.
  • The module grants access to the shared secrets required by the runtime platform.

Minimal Example

services:
  - name: "k8s access configurations"
    module: "k8s-access"
    id: "k8s-access-www-example-com"
    deployment_order: 80
    configurations:
      namespace: "www-example-com"
      gke_cluster_location: "us-central1"
      cluster_project_id: "shared-cluster-project"
      client_project_id: "example-com"
      service_account_email_infra: "rabbit-automation-action@example-project.iam.gserviceaccount.com"
      service_account_email_app: "worker-site@example-project.iam.gserviceaccount.com"
      gke_cluster_name: "rabbit-v5-1"

Outputs

Output Description
namespace The created namespace name.
cluster_host The cluster API server URL.
service_account_name The created Kubernetes service account name.

Full Configuration Schema

The fields below are public module inputs under configurations.

configurations:
  namespace: "www-example-com"
  gke_cluster_location: "us-central1"
  cluster_project_id: ""
  client_project_id: ""
  service_account_email_infra: ""
  service_account_email_app: ""
  gke_cluster_name: "rabbit-v5-1"
  gateway_access_label: "shared"
  secret_labels:
    creator: "automation"
    r2a_module: "k8s-access"
Field Type Required Description
namespace string Yes Kubernetes namespace name. Convention is www-<domain-dashed>.
gke_cluster_location string Yes GKE cluster region.
cluster_project_id string Yes GCP project ID of the GKE cluster.
client_project_id string Yes GCP project ID of the tenant.
service_account_email_infra string Yes R2A service account email for the tenant project.
service_account_email_app string Yes Runtime service account email for Workload Identity.
gke_cluster_name string Yes GKE cluster name.
gateway_access_label string No Label value for gateway-access on the namespace. Defaults to shared.
secret_labels map[string] No Labels for Secret Manager secrets.

Clone this wiki locally