faint-motherboard-95438
12/03/2018, 11:09 PMcluster-admin
for this cluster beforehand (as stated here : https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#setting_up_role-based_access_control), see where I’m going with that ?
I need the cluster to be created to be able to make this binding before being able to create any other Role or ClusterRole, but since the cluster creation and the roles are part of the automation, the only way everything works as expected (in one shot) would be to create this RoleBinding right after the cluster is ready inside the pulumi stack deployment. Doing so would require to get my current active google identity to make the right binding on the right account.
How/Can I do that within pulumi with the @pulumi/kubernetes
package (I’m using the typescript flavor) ?most-pager-38056
12/03/2018, 11:13 PMconst clusterRole = new k8s.rbac.v1.ClusterRole(
'cluster-role-name',
{
// options here...
},
{
provider: k8sProvider,
},
);
faint-motherboard-95438
12/03/2018, 11:21 PMClusterRole
is made by a helm Chart and it seems that passing the provider to a k8s.helm.v2.Chart
does not change the problemmost-pager-38056
12/03/2018, 11:24 PMkubernetes
key.
const chart = new k8s.helm.v2.Chart(
'chart-name',
{
// options...
},
{
providers: { kubernetes: k8sProvider },
},
);
That’s how you are doing?faint-motherboard-95438
12/03/2018, 11:29 PMcreamy-potato-29402
12/03/2018, 11:30 PMfaint-motherboard-95438
12/03/2018, 11:32 PMcreamy-potato-29402
12/03/2018, 11:37 PM// The ServiceAccount that will manage Kubernetes resources as part of CI.
export const gcpServiceAccount = new gcp.serviceAccount.Account(`${config.appName}`, {
accountId: config.appName,
displayName: "Test CI"
});
// The key that we will place in the Travis CI using `travis encrypt`.
export const gcpServiceAccountKey = new gcp.serviceAccount.Key(config.appName, {
serviceAccountId: gcpServiceAccount.name
});
export const testCiRole = new gcp.projects.IAMCustomRole(config.appName, {
roleId: "testci",
title: "Test CI role",
project: config.project,
permissions: [...]
});
// Grants the ServiceAccount the ability to use the gcloud container API.
export const gcpCiRole = new gcp.projects.IAMBinding(config.appName, {
// role: "projects/pulumi-development/roles/KubernetesTestCIRole",
role: testCiRole.id,
members: [gcpServiceAccount.email.apply(email => `serviceAccount:${email}`)]
});
// Grants the ServiceAccount the ability to use the gcloud container API.
const saUser = new gcp.projects.IAMBinding(`${config.appName}-sa`, {
role: "roles/iam.serviceAccountUser",
members: [gcpServiceAccount.email.apply(email => `serviceAccount:${email}`)]
});
// Grant the ServiceAccount admin permissions inside the Kubernetes cluster.
export const k8sRoleBinding = new k8s.rbac.v1.ClusterRoleBinding(
"cluster-admin-binding",
{
metadata: { name: "cluster-admin-binding" },
roleRef: {
apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>",
kind: "ClusterRole",
name: "cluster-admin"
},
subjects: [
{ apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>", kind: "User", name: gcpServiceAccount.email }
]
},
{ provider: k8sProvider }
);
export const clientSecret = gcpServiceAccountKey.privateKey.apply(key =>
JSON.parse(Buffer.from(key, "base64").toString("ascii"))
);
faint-motherboard-95438
12/03/2018, 11:43 PMcreamy-potato-29402
12/03/2018, 11:47 PMfaint-motherboard-95438
12/03/2018, 11:47 PMcreamy-potato-29402
12/03/2018, 11:48 PMfaint-motherboard-95438
12/04/2018, 5:21 PMkubeconfig
to the k8sProvider
, and I’m kind of lost on what I should put in it to authenticate the serviceAccount I use and to whom I have granted the permissions I needed. By default it uses the kubectl
active config and if I put
auth-provider:
config:
cmd-args: config config-helper --format=json
cmd-path: gcloud
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
it uses the gcloud
config which is not what I want either.
I can’t find what I should put here and from where.. could you help me on this one too ?creamy-potato-29402
12/04/2018, 7:50 PMgcloud
and use that as my k8s identity”import * as k8s from "@pulumi/kubernetes";
import * as gcp from "@pulumi/gcp";
import { k8sProvider } from "./cluster";
import * as config from "./config";
// The ServiceAccount that will manage Kubernetes resources as part of CI.
export const gcpServiceAccount = new gcp.serviceAccount.Account(`${config.appName}`, {
accountId: config.appName,
displayName: "Test CI"
});
// The key that we will place in the Travis CI using `travis encrypt`.
export const gcpServiceAccountKey = new gcp.serviceAccount.Key(config.appName, {
serviceAccountId: gcpServiceAccount.name
});
// Grants the ServiceAccount the ability to use the gcloud container API.
export const gcpCiRole = new gcp.projects.IAMBinding(config.appName, {
role: "roles/container.developer",
members: [gcpServiceAccount.email.apply(email => `serviceAccount:${email}`)]
});
// Grant the ServiceAccount admin permissions inside the Kubernetes cluster.
export const k8sRoleBinding = new k8s.rbac.v1.ClusterRoleBinding(
"cluster-admin-binding",
{
metadata: { name: "cluster-admin-binding" },
roleRef: {
apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>",
kind: "ClusterRole",
name: "cluster-admin"
},
subjects: [
{ apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>", kind: "User", name: gcpServiceAccount.email }
]
},
{ provider: k8sProvider }
);
export const clientSecret = gcpServiceAccountKey.privateKey.apply(key =>
JSON.parse(Buffer.from(key, "base64").toString("ascii"))
);
pulumi stack output clientSecret > client-secret.json
gcloud auth activate-service-account --key-file client-secret.json
faint-motherboard-95438
12/04/2018, 7:59 PMpulumi up
, let it fails to get the clientSecret
, auth gcloud
manually with the newly created serviceAccount, then re-run pulumi up
to finish whatever has failed previously ? I would expect to not have to do the manual stepauth-provider
method inside the kubeconfig
I would be able to configure inside pulumi with whatever is at my disposal to provide the right authentication in the k8sProvider
so everything would run in one shot.creamy-potato-29402
12/04/2018, 8:52 PMowner
in the GCP account. How do you register service accounts and roles for the rest of your org?owner
has to write a pulumi program with all that stuff, which bootstraps those roles.owner
is deploying everything, from the infrastructure up, then you should have no problems because they are already the owner.faint-motherboard-95438
12/04/2018, 9:03 PMcreamy-potato-29402
12/04/2018, 9:03 PMfaint-motherboard-95438
12/04/2018, 9:05 PMcreamy-potato-29402
12/04/2018, 9:05 PMowner
you should have permission to do everything.faint-motherboard-95438
12/04/2018, 9:08 PMcreamy-potato-29402
12/04/2018, 9:08 PM