Skip to content

Add staging service accounts to roles/iam.serviceAccountTokenCreator #3854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 24, 2022
Merged

Add staging service accounts to roles/iam.serviceAccountTokenCreator #3854

merged 1 commit into from
Nov 24, 2022

Conversation

@saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Jun 16, 2022
edited
Loading

The idea is to use the GCB service account to be able to sign images in
staging and promote them later into production. This way we can use
cloudbuild.yaml to specify something like:

env:
  GOOGLE_SERVICE_ACCOUNT_NAME=448637284062@cloudbuild.gserviceaccount.com

We have to obtain the project ID since it is created randomly for each
staging project.

Refers to kubernetes-sigs/security-profiles-operator#984
Should fix the permission issue mentioned in kubernetes-sigs/security-profiles-operator#984 (comment)

/assign @puerco @ameukam

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. area/bash Bash scripts, testing them, writing less of them, code in infra/gcp/ labels Jun 16, 2022
@k8s-ci-robot k8s-ci-robot requested a review from thockin June 16, 2022 07:44
@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Jun 16, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 20, 2022
@saschagrunert
Copy link
Member Author

saschagrunert commented Jul 4, 2022

@ameukam @puerco PTAL

@ameukam
Copy link
Member

ameukam commented Jul 5, 2022

@saschagrunert What if we instead setup a specific service account for Cloudbuild : https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts ? I'm hesitant to add more permissions to the default service account.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 12, 2022
saschagrunert
saschagrunert commented Jul 12, 2022
View reviewed changes
@saschagrunert saschagrunert force-pushed the tokencreator branch 2 times, most recently from 883dbdd to b530231 Compare July 19, 2022 08:03
@ameukam ameukam mentioned this pull request Jul 24, 2022
Open
19 tasks
ameukam
ameukam reviewed Jul 24, 2022
View reviewed changes
ameukam
ameukam reviewed Jul 25, 2022
View reviewed changes
@ameukam
Copy link
Member

ameukam commented Jul 25, 2022

Trying to run the script:

    -[]
    +- member: serviceAccount:gcb-image-builder@k8s-staging-infra-tools.iam.gserviceaccount.com
    +  role: roles/iam.serviceAccountTokenCreator
    ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
    ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/cloudbuild.builds.editor is not supported for this resource.

Made a suggestion.

ameukam
ameukam reviewed Jul 25, 2022
View reviewed changes
infra/gcp/bash/ensure-staging-storage.sh Outdated
ensure_service_account \
"${project}" \
"${sa_name}" \
"used by prow to sign artifacts for ${project}"
Copy link
Member

@ameukam ameukam Jul 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"used by prow to sign artifacts for ${project}"
"used by prow to build container images and sign artifacts for ${project}"

@saschagrunert
Copy link
Member Author

saschagrunert commented Jul 26, 2022

Trying to run the script:

    -[]
    +- member: serviceAccount:gcb-image-builder@k8s-staging-infra-tools.iam.gserviceaccount.com
    +  role: roles/iam.serviceAccountTokenCreator
    ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
    ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/cloudbuild.builds.editor is not supported for this resource.

Made a suggestion.

Thanks, fixed as suggested 👍

ameukam
ameukam reviewed Jul 28, 2022
View reviewed changes
@ameukam ameukam mentioned this pull request Jul 28, 2022
Merged
@saschagrunert
Add staging service accounts to roles/iam.serviceAccountTokenCreator
8430a5c 
The idea is to use the GCB service account to be able to sign images in
staging and promote them later into production. This way we can use
cloudbuild.yaml to specify something like:

```
env:
  GOOGLE_SERVICE_ACCOUNT_NAME=448637284062@cloudbuild.gserviceaccount.com
```

We have to obtain the project ID since it is created randomly for each
staging project.

Signed-off-by: Sascha Grunert <[email protected]>
@saschagrunert
Copy link
Member Author

saschagrunert commented Aug 1, 2022

@ameukam Is this now ready to go after #4028 has been merged?

@ameukam
Copy link
Member

ameukam commented Aug 1, 2022

@ameukam Is this now ready to go after #4028 has been merged?

@saschagrunert I want to ensure we can use that approach to build images. The PR by itself is fine but I want to double-check. Let me update #3578 and try to build it.

@saschagrunert
Copy link
Member Author

saschagrunert commented Aug 24, 2022

@ameukam Is this now ready to go after #4028 has been merged?

@saschagrunert I want to ensure we can use that approach to build images. The PR by itself is fine but I want to double-check. Let me update #3578 and try to build it.

Awesome, do you have any news on that topic?

@ameukam
Copy link
Member

ameukam commented Aug 24, 2022

@ameukam Is this now ready to go after #4028 has been merged?

@saschagrunert I want to ensure we can use that approach to build images. The PR by itself is fine but I want to double-check. Let me update #3578 and try to build it.

Awesome, do you have any news on that topic?

I got a failure trying the use the SA: #3578 (comment).

I didn't have the time to investigate. I'll merge this PR tomorrow and actuate the script. we can investigate the failure as a followup.

@saschagrunert
Copy link
Member Author

saschagrunert commented Nov 10, 2022

@ameukam do you think we can merge this now?

@ameukam
Copy link
Member

ameukam commented Nov 24, 2022

@ameukam do you think we can merge this now?

Yes. we need some follow-up PR to make sure subprojects can sign the images. There is an issue with service account impersonation between the service account used by prow and the one used by GCB.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 24, 2022
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 24, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam, JAORMX, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 24, 2022
@k8s-ci-robot k8s-ci-robot merged commit f13eaa7 into kubernetes:main Nov 24, 2022
@saschagrunert saschagrunert deleted the tokencreator branch November 24, 2022 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ameukam ameukam ameukam left review comments

@thockin thockin Awaiting requested review from thockin

+1 more reviewer

@JAORMX JAORMX JAORMX approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@JAORMX JAORMX

@ameukam ameukam

@puerco puerco

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/bash Bash scripts, testing them, writing less of them, code in infra/gcp/ area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@saschagrunert @ameukam @k8s-ci-robot @JAORMX @puerco