This document gathers information about test clusters that Prow jobs build. All test clusters are built in the sap-kyma-prow-workloads
project.
Kyma developers are gathered in the [email protected]
Google Group administrated by the Neighbors team. All the group permissions are managed in IAM, where the [email protected]
group has the kyma_developer role assigned so that its members can access test clusters and VMs in read-only mode.
Previously, you could only grant roles to Google Cloud user accounts or Cloud IAM service accounts. Google Groups for GKE (Beta) now allows you to grant roles to the members of a G Suite Google Group. With this mechanism, the users and groups themselves are maintained by your G Suite administrators, completely outside of Kubernetes or Cloud Console.
Google Groups give you the possibility to gather Kyma Developers accounts and manage Google Cloud Project permissions based on the group name. Additionally, you can grant Kubernetes Roles, Cluster Roles, Role Bindings, and Cluster Role Bindings to the specific Google Group on your cluster.
For example, all members of the [email protected]
group receive the cluster-admin Cluster Role on the Kyma release cluster built by the post-relXX-kyma-release-candidate Prow job.
If you want to leverage this solution, raise an issue with the Neighbors team. The process looks as follows:
-
The Neighbors team creates your custom Google Group, such as
[email protected]
, and adds it as a member of[email protected]
. -
You write a test pipeline where you build the cluster with an additional parameter called --security-group="[email protected].
-
In the next step of your test pipeline you create Cluster Role Bindings for the
[email protected]
custom group:kubectl create clusterrolebinding kyma-developers-group-binding --clusterrole="cluster-admin" --group="[email protected]"
When you complete all the steps, members of your custom group are able to access the cluster with elevated privileges.