Skip to content

Improve GKE service account posture by aligning with GKE best practices#3571

Merged
parulbajaj01 merged 1 commit into
GoogleCloudPlatform:developfrom
parulbajaj01:gke-sa-account
Jan 27, 2025
Merged

Improve GKE service account posture by aligning with GKE best practices#3571
parulbajaj01 merged 1 commit into
GoogleCloudPlatform:developfrom
parulbajaj01:gke-sa-account

Conversation

@parulbajaj01

@parulbajaj01 parulbajaj01 commented Jan 21, 2025
edited by annuay-google
Loading

Copy link
Copy Markdown
Contributor

Changes:

  1. Create separate service accounts for workloads and node-pools in all GKE reference blueprints
  2. Enable workload identity in all GKE reference blueprints

Submission Checklist

NOTE: Community submissions can take up to 2 weeks to be reviewed.

Please take the following actions before submitting this pull request.

  • Fork your PR branch from the Toolkit "develop" branch (not main)
  • Test all changes with pre-commit in a local branch #
  • Confirm that "make tests" passes all tests
  • Add or modify unit tests to cover code changes
  • Ensure that unit test coverage remains above 80%
  • Update all applicable documentation
  • Follow Cluster Toolkit Contribution guidelines #

@parulbajaj01 parulbajaj01 added the release-chore To not include into release notes label Jan 21, 2025
@annuay-google

annuay-google commented Jan 22, 2025

Copy link
Copy Markdown
Contributor

Can you also add details of testing done to verify this?

@annuay-google

annuay-google commented Jan 22, 2025

Copy link
Copy Markdown
Contributor

Please add the workload identity k8s service account to the cluster output. This improves discoverability

@parulbajaj01

parulbajaj01 commented Jan 24, 2025

Copy link
Copy Markdown
Contributor Author

Details of testing done:

  1. Ran the GKE A3 Ultra blueprint. Checked the service accounts created on both sides and their permissions
  2. Followed the instructions present here to verify if we can write to GCS from the pod with the service account
  3. Ran all the GKE integration tests

@annuay-google annuay-google changed the title Add 2 separate service accounts for nodepool and workload in gke blueprints Improve GKE service account posture by aligning with GKE best practices Jan 27, 2025
@annuay-google annuay-google added release-improvements Added to release notes under the "Improvements" heading. and removed release-chore To not include into release notes labels Jan 27, 2025
annuay-google
annuay-google approved these changes Jan 27, 2025
View reviewed changes

@annuay-google annuay-google left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@parulbajaj01 parulbajaj01 merged commit f286057 into GoogleCloudPlatform:develop Jan 27, 2025
@abbas1902 abbas1902 mentioned this pull request Feb 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@annuay-google annuay-google annuay-google approved these changes

Assignees

No one assigned

Labels

release-improvements Added to release notes under the "Improvements" heading.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@parulbajaj01 @annuay-google