Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci-k8sio-cip: use k8s service account #16917

Merged
merged 2 commits into from
Mar 24, 2020
Merged

ci-k8sio-cip: use k8s service account #16917

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
815fef2
ci-k8sio-cip: use k8s service account
Mar 24, 2020
47d48ba
activate "k8s-artifacts-prod" KSA
Mar 24, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions config/jobs/kubernetes/test-infra/test-infra-trusted.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1152,6 +1152,9 @@ periodics:
repo: k8s.io
base_ref: master
spec:
# The k8s-artifacts-prod name was chosen in
# https://github.com/kubernetes/k8s.io/pull/655.
serviceAccountName: k8s-artifacts-prod
containers:
# TODO: Move the official cip image to a more serious location.
#
Expand Down
8 changes: 7 additions & 1 deletion prow/cluster/trusted_serviceaccounts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,18 @@ metadata:
name: deployer
namespace: test-pods
---
kind: ServiceAccount
apiVersion: v1
metadata:
annotations:
iam.gke.io/gcp-service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
Copy link
Contributor

@fejta fejta Mar 24, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that you'll still need to run the gcloud command to authorize k8s-artifacts-prod's ability to authenticate as k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com to GCP.

https://github.com/kubernetes/test-infra/tree/master/workload-identity

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has already been done by @thockin; I've indepently verified that there is a "Workload Identity" role added to the k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com account from the IAM web ui for the k8s-artifacts-prod project which owns that GCP SA, so I think we're ready for merge.

name: k8s-artifacts-prod
namespace: test-pods
# TODO(fejta): https://github.com/kubernetes/test-infra/issues/15806
# * Run experiment/workload-identity/bind-service-accounts.sh on the above
# * Config service account on job
# Do the same for the following:
# k8s-artifacts-graveyard-service-account
# k8s-artifacts-prod-bak-service-account
# k8s-artifacts-prod-service-account
# k8s-gcr-prod-service-account
# service-account