-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci-k8sio-cip: use k8s service account #16917
Conversation
This is a follow-up to kubernetes/k8s.io#655 and kubernetes#16883.
/approve |
/hold |
These are self service, we apply what is declared on merge: test-infra/prow/cluster/BUILD.bazel Lines 63 to 73 in 0132e79
As Aaron says, if you want a service account with that name to exist, you need to declare it (in the correct cluster where the job runs): https://github.com/kubernetes/test-infra/blob/master/prow/cluster/trusted_serviceaccounts.yaml |
This follows the instructions posted at kubernetes#16917 (comment).
apiVersion: v1 | ||
metadata: | ||
annotations: | ||
iam.gke.io/gcp-service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that you'll still need to run the gcloud command to authorize k8s-artifacts-prod
's ability to authenticate as k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
to GCP.
https://github.com/kubernetes/test-infra/tree/master/workload-identity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has already been done by @thockin; I've indepently verified that there is a "Workload Identity" role added to the k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
account from the IAM web ui for the k8s-artifacts-prod
project which owns that GCP SA, so I think we're ready for merge.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fejta, listx, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ACK. ISTR these files before when you were first doing this stuff earlier this year Erick, thanks for the reminder. |
/hold cancel |
@listx: Updated the
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a followup to kubernetes/test-infra#16917. The problem is that there are 2 completely separate Prow clusters, one called k8s-prow-builds, which runs random presubmits from the public and k8s-prow, which only runs trusted jobs. The ci-k8sio-cip job runs in the trusted cluster, and so the Workload Identity grant must be for "k8s-prow", not "k8s-prow-builds". The incorrect grant to "k8s-prow-builds.svc.id.goog[test-pods/k8s-artifacts-prod]" must manually be removed.
This is a follow-up to kubernetes/k8s.io#655 and
#16883.
/cc @fejta @thockin
Aside: I think the KSA name "k8s-artifacts-prod" is bad (too generic) and should be changed in the future, but let's do that later when we need to disambiguate.