Merge pull request #15937 from fejta/serve

Declare some trusted service accounts

prow/cluster/BUILD.bazel

@@ -66,6 +66,7 @@ release(
     component("tide", "service", "deployment"),
     component("tls-ing", "ingress"),
     component("tot", "service", "deployment"),
+    component("trusted_serviceaccounts", MULTI_KIND),
     component(
         "tune-sysctls",
         "daemonset",

prow/cluster/trusted_serviceaccounts.yaml

@@ -0,0 +1,42 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: [email protected]
+  name: resultstore
+  namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: [email protected]
+  name: pusher
+  namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: [email protected]
+  name: testgrid-config-updater
+  namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: [email protected]
+  name: deployer
+  namespace: test-pods
+---
+# TODO(fejta): https://github.com/kubernetes/test-infra/issues/15806
+# * Run experiment/workload-identity/bind-service-accounts.sh on the above
+# * Config service account on job
+# Do the same for the following:
+# k8s-artifacts-graveyard-service-account
+# k8s-artifacts-prod-bak-service-account
+# k8s-artifacts-prod-service-account
+# k8s-gcr-prod-service-account
+# service-account