Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a service a service account in k8s-infra-prow-build cluster. #7246

Open
dargudear-google opened this issue Sep 2, 2024 · 11 comments
Open
Labels
sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.

Comments

@dargudear-google
Copy link

I am working on-recreating a prow job and these prow jobs deleted during migration to community infra. Discussion ref.

I started re-creation of the Job and submitted https://github.com/kubernetes/test-infra/pull/33340/files
But when Job was triggered it could not find the serviceaccount secrets-store-csi-driver-gcp
job config: https://prow.k8s.io/prowjob?prowjob=3651f2a3-a736-453e-b349-9f29af4a17ce
build_serviceaccounts.yaml has the config for serviceaccount secrets-store-csi-driver-gcp`

Can we create a similar account as of old account to re-create the tests?

@dargudear-google dargudear-google added the sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. label Sep 2, 2024
@BenTheElder
Copy link
Member

We usually use workload identity.

The interesting question isn't the service account, it is what resources the service account enables access to.

We need to know what resources are required so we can figure out how to manage them in the community accounts.

We are NOT permitting dependency to external resources not managed by the project within the infra/CI we operate, to prevent future headaches.

@BenTheElder
Copy link
Member

@kubernetes/sig-k8s-infra-leads [to track this discussion about providing resources for secre-store-csi-driver testing, I suspect we will need something similar to https://github.com//pull/6924 + make sure boskos handles it]

@dargudear-google
Copy link
Author

Service account needs to access the secrets from a project owned by google internally.

This prow job creates a kind cluster, inside kind cluster, secret driver and provider gets installed. This provider needs to access secrets. The baseline requirement is the workload identity that we usually use should be able to act as [email protected] like it was earlier https://github.com/kubernetes/test-infra/blob/master/config/prow/cluster/build/build_serviceaccounts.yaml#L59-L66

@BenTheElder
Copy link
Member

Service account needs to access the secrets from a project owned by google internally.

This is not supported. We do not permit taking dependencies on third party accounts. We have just spent years fixing this.

As previously mentioned and outlined, but again https://groups.google.com/a/kubernetes.io/g/dev/c/p6PAML90ZOU/m/11sDguoxAQAJ / https://groups.google.com/a/kubernetes.io/g/dev/c/qzNYpcN5la4

This prow job creates a kind cluster, inside kind cluster, secret driver and provider gets installed. This provider needs to access secrets.

Surely we can identify what a GCP project would need to have in order to do this with a kubernetes.io GCP project?

@dargudear-google
Copy link
Author

What If we configure a job like this which used boskos. In the test, a new GKE cluster will be created (using gcloud) along with secret manager secret. We will test the functionality in the cluster. Since we will have our project, there won't be any permission issues.

@BenTheElder
Copy link
Member

What If we configure a job like this which used boskos.

Sure.

In the test, a new GKE cluster will be created (using gcloud) along with secret manager secret.

We don't generally test OSS projects with GKE versus one of the open source tools (like kops) but ....

We will test the functionality in the cluster. Since we will have our project, there won't be any permission issues.

To be clear: You mean a project rented from boskos? Which is one of the shared projects.

If this job creates an additional resources, the project cleanup script needs to be made aware of them (there's no generic way to get all resources AFAIK, and even if there was, there can be ordering issues) https://github.com/kubernetes/test-infra/blob/master/boskos/cmd/janitor/gcp_janitor.py

@dargudear-google
Copy link
Author

If this job creates an additional resources, the project cleanup script needs to be made aware of them (there's no generic way to get all resources AFAIK, and even if there was, there can be ordering issues) https://github.com/kubernetes/test-infra/blob/master/boskos/cmd/janitor/gcp_janitor.py

Like this kubernetes/test-infra#33669 ?

@dargudear-google
Copy link
Author

dargudear-google commented Oct 16, 2024

@kubernetes/sig-k8s-infra-leads [to track this discussion about providing resources for secre-store-csi-driver testing, I suspect we will need something similar to https://github.com//pull/6924 + make sure boskos handles it]

See if we can have #7416 ?

Also I am planning to test the prow job after above PRs.

@BenTheElder
Copy link
Member

Like this kubernetes/test-infra#33669 ?

I don't think we use that copy anymore (need to check with @dims @upodroid), but that looks about right 👍

See if we can have #7416 ?

We should check @upodroid @ameukam, but I think that's fine.

@ameukam
Copy link
Member

ameukam commented Oct 28, 2024

Like this kubernetes/test-infra#33669 ?

I don't think we use that copy anymore (need to check with @dims @upodroid), but that looks about right 👍

I remember an issue about secrets cleanup: https://github.com/kubernetes-sigs/boskos/pull/204/files.

@dargudear-google
Copy link
Author

Like this kubernetes/test-infra#33669 ?

I don't think we use that copy anymore (need to check with @dims @upodroid), but that looks about right 👍

I remember an issue about secrets cleanup: https://github.com/kubernetes-sigs/boskos/pull/204/files.

I have tested my changes on my local setup and this is working.

I can see the issue in the resource there as in gcloud we have gcloud secrets not secretmanager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Projects
None yet
Development

No branches or pull requests

3 participants