Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve GKE service account posture by aligning with GKE best practices #3571

Merged
merged 1 commit into from
Jan 27, 2025
Merged

Improve GKE service account posture by aligning with GKE best practices #3571

merged 1 commit into from
Jan 27, 2025

Conversation

parulbajaj01
Copy link
Contributor

@parulbajaj01 parulbajaj01 commented Jan 21, 2025
edited by annuay-google
Loading

Changes:

  1. Create separate service accounts for workloads and node-pools in all GKE reference blueprints
  2. Enable workload identity in all GKE reference blueprints

Submission Checklist

NOTE: Community submissions can take up to 2 weeks to be reviewed.

Please take the following actions before submitting this pull request.

  • Fork your PR branch from the Toolkit "develop" branch (not main)
  • Test all changes with pre-commit in a local branch #
  • Confirm that "make tests" passes all tests
  • Add or modify unit tests to cover code changes
  • Ensure that unit test coverage remains above 80%
  • Update all applicable documentation
  • Follow Cluster Toolkit Contribution guidelines #

@parulbajaj01 parulbajaj01 added the release-chore To not include into release notes label Jan 21, 2025
@annuay-google
Copy link
Contributor

Can you also add details of testing done to verify this?

@annuay-google
Copy link
Contributor

Please add the workload identity k8s service account to the cluster output. This improves discoverability

@parulbajaj01
Copy link
Contributor Author

Details of testing done:

  1. Ran the GKE A3 Ultra blueprint. Checked the service accounts created on both sides and their permissions
  2. Followed the instructions present here to verify if we can write to GCS from the pod with the service account
  3. Ran all the GKE integration tests

@annuay-google annuay-google changed the title Add 2 separate service accounts for nodepool and workload in gke blueprints Improve GKE service account posture by aligning with GKE best practices Jan 27, 2025
@annuay-google annuay-google added release-improvements Added to release notes under the "Improvements" heading. and removed release-chore To not include into release notes labels Jan 27, 2025
annuay-google
annuay-google approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@annuay-google annuay-google left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@parulbajaj01 parulbajaj01 merged commit f286057 into GoogleCloudPlatform:develop Jan 27, 2025
12 of 57 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annuay-google annuay-google annuay-google approved these changes

Assignees
No one assigned
Labels
release-improvements Added to release notes under the "Improvements" heading.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@parulbajaj01 @annuay-google