Add service account to k8s-infra-ii-coop

[bernokl]

I think this should also use ensure_service_account from lib_iam.sh, but I am unsure where to call it from

[k8s-ci-robot]

Hi @bernokl. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ameukam]

@bernokl I'm not sure to understand why you need to add this SA to this google group. What is the particularity of this SA ?

[bernokl]

@ameukam it will be our reporting user that is intended to run the asn-ip-lookup job on prow. Is there a more appropriate way for a job runner to get permissions to the logs?

[spiffxp]

I would rather we keep service accounts out of groups. I can't recall the specific example right now, but it doesn't always work. I removed all previous SA memberships in #2010, specifically 9ebc221

Bind the service account directly to what is needed

[ameukam]

@bernokl My suggestion would be look at https://cloud.google.com/iam/docs/understanding-roles to identity what permissions you need for this SA and add the binding as a Terraform code in https://github.com/kubernetes/k8s.io/tree/main/infra/gcp/clusters/projects/k8s-infra-ii-sandbox.

Ultimately, every resource used to do PII analysis will be moved to https://github.com/kubernetes/k8s.io/tree/main/infra/gcp/clusters/projects/k8s-infra-public-pii. See : #1968.

[ameukam]

I think this should also use ensure_service_account from lib_iam.sh, but I am unsure where to call it from

You can directly create the Service Account with Terraform here : https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/clusters/projects/k8s-infra-ii-sandbox/main.tf

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bernokl
To complete the pull request process, please assign spiffxp after the PR has been reviewed.
You can assign the PR to them by writing /assign @spiffxp in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• infra/gcp/clusters/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bernokl]

I changed the pr to create the SA and bind-role in permissions.tf, if needed I can move it to main.tf as suggested above.

The project for the role will potentially need to be kubernetes.io but need some guidance.
The logs this SA would currently consume will be in gs://k8s-artifacts-gcslogs/ ideally it pulls from k8s-infra-public-pii, but I think that is only staging data right now.

[spiffxp]

/test pull-k8sio-verify

[spiffxp]

/ok-to-test

[spiffxp]

question and some naming nits

[spiffxp]

Suggested change

	resource "google_service_account" "ii-logs-sa@k8s-infra-ii-sandbox.iam.gserviceaccount.com" {
	account_id = "ii-logs-sa-id"
	resource "google_service_account" "ii_logs_sa" {
	account_id = "ii-logs"

[spiffxp]

Suggested change

	description = "service-account-to-facilitate-ii-log-analysis"
	description = "service account to facilitate log analysis by ii"

[spiffxp]

Suggested change

	"user:ii-logs-sa@k8s-infra-ii-sandbox.iam.gserviceaccount.com",
	"user:ii-logs@k8s-infra-ii-sandbox.iam.gserviceaccount.com",

[spiffxp]

From https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

google_project_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.

Are you sure you want this behavior? It means nobody else gets roles/storage.objectViewer in this project except the service account.

What you might want instead want is to say "this service account should get this role, regardless of who else has the role"

Which would be

Suggested change

	resource "google_project_iam_binding" "k8s-infra-ii-sandbox" {
	resource "google_project_iam_member" "k8s-infra-ii-sandbox" {

[spiffxp]

(earlier review was meant to be "request changes")

[k8s-ci-robot]

@bernokl: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Rerun command
pull-k8sio-terraform-prow-build-trusted	8fb21ed	link	/test pull-k8sio-terraform-prow-build-trusted
pull-k8sio-terraform-prow-build	8fb21ed	link	/test pull-k8sio-terraform-prow-build
pull-k8sio-terraform-kubernetes-public	8fb21ed	link	/test pull-k8sio-terraform-kubernetes-public

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[riaankleinhans]

/close

[k8s-ci-robot]

@Riaankl: Closed this PR.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.