Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: Update least privilege default service account #1844

Merged
merged 3 commits into from
Jan 16, 2024
Merged

feat!: Update least privilege default service account #1844

merged 3 commits into from
Jan 16, 2024

Conversation

gorge511
Copy link
Contributor

This update follows changes from #1757 and reverts #1827.

The role roles/container.nodeServiceAccount is deprecated now and it is replaced with new roles/container.defaultNodeServiceAccount role. Unfortunately this is not yet documented in Google docs.

As the scope of the new role is smaller than the old one, this should be considered breaking change.

@gorge511
feat: Update least privilege default service account
46ae290 
This update follows changes from terraform-google-modules#1757 and reverts terraform-google-modules#1827.

The role `roles/container.nodeServiceAccount` is deprecated now and it is replaced with new `roles/container.defaultNodeServiceAccount` role.
Unfortunately this is not yet documented in Google docs.

As the scope of the new role is smaller than the old one, this should be considered breaking change.
@gorge511 gorge511 requested review from ericyz and a team as code owners January 13, 2024 11:53
@gorge511 gorge511 mentioned this pull request Jan 13, 2024
Merged
@apeabody
Copy link
Contributor

/gcbrun

@apeabody apeabody closed this Jan 16, 2024
@apeabody apeabody reopened this Jan 16, 2024
@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor

/gcbrun

@apeabody apeabody changed the title feat: Update least privilege default service account feat!: Update least privilege default service account Jan 16, 2024
@apeabody
Copy link
Contributor

marked as breaking change per PR comment

apeabody
apeabody approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @gorge511!

@apeabody apeabody merged commit c63aa4f into terraform-google-modules:master Jan 16, 2024
4 checks passed
@release-please release-please bot mentioned this pull request Jan 16, 2024
Merged
@gorge511 gorge511 deleted the sa_least_priv branch January 20, 2024 16:06
@gorge511
Copy link
Contributor Author

Thanks for the contribution @gorge511!

Thanks for accepting my ideas and changes.

@davem-git
Copy link

how do we update to this from an older version? will it just delete and recreate this without any downtime?

@hSATAC
Copy link

hSATAC commented Mar 12, 2024

Can anyone confirm is there any downtime of this SA recreation for old clusters upgraded to v30?

@mmorejon
Copy link
Contributor

@gorge511 , could you share a reference about oles/container.defaultNodeServiceAccount? You mentioned there aren't docs in GCP but I was looking into the roles directly through the gcloud cli and I couldn't find anything about it.

@gorge511
Copy link
Contributor Author

Can anyone confirm is there any downtime of this SA recreation for old clusters upgraded to v30?

Hi @hSATAC this change is without any downtime.

@gorge511
Copy link
Contributor Author

@gorge511 , could you share a reference about oles/container.defaultNodeServiceAccount? You mentioned there aren't docs in GCP but I was looking into the roles directly through the gcloud cli and I couldn't find anything about it.

Hi @mmorejon, please see #1757 for a bigger discussion of why I did this PR. This is quite a new thing, but you can find the role easily with gcloud iam roles describe roles/container.defaultNodeServiceAccount and read all its permissions.

Unfortunately, this is so new that the public docs are not updated yet, but I got a thumbs up for using it from our Google TAM who consulted this with GKE developer team.

@yorik yorik mentioned this pull request May 14, 2024
Closed
CPL-markus pushed a commit to WALTER-GROUP/terraform-google-kubernetes-engine that referenced this pull request Jul 15, 2024
@gorge511
feat!: Update least privilege default service account (terraform-goog…
c3f1747 
…le-modules#1844)

Co-authored-by: Jirka Korejtko <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apeabody apeabody apeabody approved these changes

@ericyz ericyz Awaiting requested review from ericyz ericyz is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gorge511 @apeabody @davem-git @hSATAC @mmorejon