-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a service account for nodes if one isn't provided. #2
Comments
@morgante Picking this up. One quick clarification -- I read this as |
Correct.
…On Tue, Dec 18, 2018 at 18:06 Jason Berlinsky ***@***.***> wrote:
@morgante <https://github.com/morgante> Picking this up.
One quick clarification -- I read this as create should create a service
account *for the cluster* for use, that is to say that it will have the
cluster name in the service account ID. Please let me know if you had
something else in mind.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABjWmZpowN-cd01NiAGqiO-ck9W4itgrks5u6XTsgaJpZM4WT6xy>
.
|
One addendum: I would still like us to do some discovery on why a service account is even required. GCE VMs do not all require service accounts, so it's not clear why the module would break without a service account at all. |
Based on https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa, the service account is necessary to enable Stackdriver for monitoring and logging, and pulling images from GCR. |
Fixed by #80. |
# This is the 1st commit message: Initial definition of a Safer Cluster module. # This is the commit message terraform-google-modules#2: Add a sample for using the safer-cluster module. # This is the commit message terraform-google-modules#3: Add a test kitchen instance # This is the commit message terraform-google-modules#4: Formatting TF files. # This is the commit message terraform-google-modules#5: Add a test for the safer-cluster module # This is the commit message terraform-google-modules#6: Additional fixes
…odules/master Merge from master
…odules/master update
…OPS-779 Enable resource labeling option, with default is empty
We need a holistic solution here which permanently removes the dependency on the default service account. Including:
service_account
which accepts three values:a. the email of a custom Service Account,
b.
default-compute
(the default compute service account), orc.
create
- automatically creates a service account for useThis top-level service account will be default for all node pools which don't explicitly provided.
These flags can optionally be implemented incrementally.
The text was updated successfully, but these errors were encountered: