gcp/lib: set builder permission instead of editor #1773
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
wg/k8s-infra
size/XS
| @@ -215,7 +215,7 @@ function empower_group_for_gcb() { | |||
| gcloud \ | |||
| projects add-iam-policy-binding "${project}" \ | |||
| --member "group:${group}" \ | |||
| --role roles/cloudbuild.builds.editor | |||
| --role roles/cloudbuild.builds.builder | |||
There was a problem hiding this comment.
I think... that this isn't what we want. This role should be what the cloud build SA uses when it runs a build you trigger. As someone who wants to run builds I'm not sure you need permissions on more than build resources.
There was a problem hiding this comment.
Right, the GCB SA needs access to write to GCR, not the operator.
The operator only needs access to execute the GCB job.
There was a problem hiding this comment.
got it will close this and see other alternatives
/close
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cpanato The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@cpanato: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The role
roles/cloudbuild.builds.editorlooks like does not have all the necessary permissions to push images from gcb (https://cloud.google.com/build/docs/iam-roles-permissions)the builder role (
roles/cloudbuild.builds.builder) have the permission (storage.buckets.get) to make it able to push the images.I'm not sure if this is the correct way to deal or we add another role just to add the
storage.buckets.getpermission./assign @spiffxp
Fixes: #1772