diff --git a/cert-manager/cert-manager/v3/kustomization.yaml b/cert-manager/cert-manager/v3/kustomization.yaml index 977f3a3e2..61c4a9f8b 100644 --- a/cert-manager/cert-manager/v3/kustomization.yaml +++ b/cert-manager/cert-manager/v3/kustomization.yaml @@ -5,4 +5,5 @@ commonLabels: kind: Kustomization namespace: cert-manager resources: +- ../base - ../overlays/application/application.yaml diff --git a/experimental/mirror-images/gcp_template.yaml b/experimental/mirror-images/gcp_template.yaml index d19b1582c..87d083d45 100644 --- a/experimental/mirror-images/gcp_template.yaml +++ b/experimental/mirror-images/gcp_template.yaml @@ -5,5 +5,6 @@ spec: - src: exclude: gcr.io # change to the gcr registry as image replication destination - dest: + dest: gcr.io/gcp-private-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"gcp-private-dev"}]}} + # Use the existing public context context: gs://kubeflow-examples/image-replicate/replicate-context.tar.gz diff --git a/gcp/v2/asm/istio-operator.yaml b/gcp/v2/asm/istio-operator.yaml index 90c7811f6..c9f452173 100644 --- a/gcp/v2/asm/istio-operator.yaml +++ b/gcp/v2/asm/istio-operator.yaml @@ -15,7 +15,7 @@ apiVersion: install.istio.io/v1alpha2 kind: IstioControlPlane metadata: - clusterName: "jlewi-dev/us-central1/kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}} + clusterName: "project-id/us-central1/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}} spec: profile: asm hub: gcr.io/gke-release/asm @@ -25,14 +25,14 @@ spec: istio-ingressgateway: type: NodePort global: - meshID: "jlewi-dev_us-central1_kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}} - trustDomain: "jlewi-dev.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"}]}} + meshID: "project-id_us-central1_name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}} + trustDomain: "project-id.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}} sds: token: - aud: "jlewi-dev.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"}]}} + aud: "project-id.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}} proxy: env: - GCP_METADATA: "jlewi-dev|147474701642|asm-cluster|us-central1-c" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"gcloud.project.projectNumber","value":"147474701642"},{"name":"name","value":"asm-cluster"},{"name":"gcloud.compute.zone","value":"us-central1-c"}]}} + GCP_METADATA: "project-id|147474701642|name|us-central1-c" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"gcloud.project.projectNumber","value":"147474701642"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-central1-c"}]}} nodeagent: env: - GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/jlewi-dev/locations/us-central1/clusters/kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}} + GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/project-id/locations/us-central1/clusters/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}} diff --git a/gcp/v2/cnrm/cluster/cluster.yaml b/gcp/v2/cnrm/cluster/cluster.yaml index e725dce69..2e576f96e 100644 --- a/gcp/v2/cnrm/cluster/cluster.yaml +++ b/gcp/v2/cnrm/cluster/cluster.yaml @@ -17,10 +17,10 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: - clusterName: "project-id/us-east1-d/kf-name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"kf-name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}} + clusterName: "project-id/us-east1-d/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}} labels: - mesh_id: "project-id_us-east1-d_kf-name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"kf-name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}} - name: kf-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"kf-name"}}} + mesh_id: "project-id_us-east1-d_name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}} + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: initialNodeCount: 2 clusterAutoscaling: @@ -31,7 +31,7 @@ spec: - https://www.googleapis.com/auth/monitoring - https://www.googleapis.com/auth/devstorage.read_only serviceAccountRef: - name: kf-name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"name"}]}} resourceLimits: - resourceType: cpu maximum: 128 @@ -51,10 +51,10 @@ spec: metadata: disable-legacy-endpoints: "true" oauthScopes: - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring - - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring + - https://www.googleapis.com/auth/devstorage.read_only serviceAccountRef: - name: kf-name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"name"}]}} workloadMetadataConfig: nodeMetadata: GKE_METADATA_SERVER diff --git a/gcp/v2/cnrm/cluster/kf-vm-policy.yaml b/gcp/v2/cnrm/cluster/kf-vm-policy.yaml index a2c959431..c5537aa1f 100644 --- a/gcp/v2/cnrm/cluster/kf-vm-policy.yaml +++ b/gcp/v2/cnrm/cluster/kf-vm-policy.yaml @@ -1,9 +1,9 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-vm-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/logging.logWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -13,9 +13,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-vm-policy-monitoring # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm-policy-monitoring # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/monitoring.metricWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -25,9 +25,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-vm-policy-meshtelemetry # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm-policy-meshtelemetry # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/meshtelemetry.reporter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -37,9 +37,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-vm-policy-cloudtrace # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm-policy-cloudtrace # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/cloudtrace.agent resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -49,9 +49,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-vm-policy-monitoring-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm-policy-monitoring-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/monitoring.viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -61,9 +61,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-vm-policy-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm-policy-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/storage.objectViewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 diff --git a/gcp/v2/cnrm/cluster/kf-vm-sa.yaml b/gcp/v2/cnrm/cluster/kf-vm-sa.yaml index 9d29a555d..f0a909b3c 100644 --- a/gcp/v2/cnrm/cluster/kf-vm-sa.yaml +++ b/gcp/v2/cnrm/cluster/kf-vm-sa.yaml @@ -15,7 +15,7 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: kf-name-vm # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-vm # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} namespace: "project-id" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"project-id"}}} spec: displayName: kubeflow vm service account diff --git a/gcp/v2/cnrm/cluster/nodepool.yaml b/gcp/v2/cnrm/cluster/nodepool.yaml index 949900a7b..51409ce4d 100644 --- a/gcp/v2/cnrm/cluster/nodepool.yaml +++ b/gcp/v2/cnrm/cluster/nodepool.yaml @@ -15,8 +15,8 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerNodePool metadata: - clusterName: "project-id/us-east1-d/kf-name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"kf-name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}} - name: kf-name-cpu-pool-v1 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + clusterName: "project-id/us-east1-d/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}} + name: name-cpu-pool-v1 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} namespace: "project-id" # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.core.project","value":"project-id"}}} spec: initialNodeCount: 2 @@ -29,8 +29,8 @@ spec: metadata: disable-legacy-endpoints: "true" serviceAccountRef: - name: kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + name: name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} workloadMetadataConfig: nodeMetadata: GKE_METADATA_SERVER clusterRef: - name: kf-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"kf-name"}}} + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} diff --git a/gcp/v2/cnrm/iam/kf-admin-policy.yaml b/gcp/v2/cnrm/iam/kf-admin-policy.yaml index 618440d9f..b391e5b9d 100644 --- a/gcp/v2/cnrm/iam/kf-admin-policy.yaml +++ b/gcp/v2/cnrm/iam/kf-admin-policy.yaml @@ -1,9 +1,9 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/source.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -13,9 +13,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-servicemanagement # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-servicemanagement # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/servicemanagement.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -25,9 +25,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-network # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-network # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/compute.networkAdmin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -37,9 +37,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/cloudbuild.builds.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -49,9 +49,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -61,9 +61,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/storage.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -73,9 +73,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/bigquery.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -85,9 +85,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/dataflow.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -97,9 +97,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/ml.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -109,9 +109,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/dataproc.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -121,9 +121,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/cloudsql.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -133,9 +133,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/logging.logWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -145,9 +145,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/monitoring.metricWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -157,9 +157,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-admin-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/monitoring.viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 diff --git a/gcp/v2/cnrm/iam/kf-admin-sa.yaml b/gcp/v2/cnrm/iam/kf-admin-sa.yaml index 52339f120..bab202b32 100644 --- a/gcp/v2/cnrm/iam/kf-admin-sa.yaml +++ b/gcp/v2/cnrm/iam/kf-admin-sa.yaml @@ -15,7 +15,7 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: kf-name-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} namespace: "project-id" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"project-id"}}} spec: displayName: kubeflow admin service account diff --git a/gcp/v2/cnrm/iam/kf-user-policy.yaml b/gcp/v2/cnrm/iam/kf-user-policy.yaml index a7aec5975..f89fe4ec1 100644 --- a/gcp/v2/cnrm/iam/kf-user-policy.yaml +++ b/gcp/v2/cnrm/iam/kf-user-policy.yaml @@ -1,9 +1,9 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/cloudbuild.builds.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -13,9 +13,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -25,9 +25,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/source.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -37,9 +37,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/storage.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -49,9 +49,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/bigquery.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -61,9 +61,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/dataflow.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -73,9 +73,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/ml.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -85,9 +85,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/dataproc.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -97,9 +97,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/cloudsql.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -109,9 +109,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/logging.logWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -121,9 +121,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/monitoring.metricWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 @@ -133,9 +133,9 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: kf-name-user-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: - member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}} + member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}} role: roles/monitoring.viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 diff --git a/gcp/v2/cnrm/iam/kf-user-sa.yaml b/gcp/v2/cnrm/iam/kf-user-sa.yaml index 6b3985e1b..79d706e16 100644 --- a/gcp/v2/cnrm/iam/kf-user-sa.yaml +++ b/gcp/v2/cnrm/iam/kf-user-sa.yaml @@ -15,7 +15,7 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: kf-name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} namespace: "project-id" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"project-id"}}} spec: displayName: kubeflow user service account diff --git a/gcp/v2/cnrm/ingress/compute-address.yaml b/gcp/v2/cnrm/ingress/compute-address.yaml index 862854dbe..d474c2253 100644 --- a/gcp/v2/cnrm/ingress/compute-address.yaml +++ b/gcp/v2/cnrm/ingress/compute-address.yaml @@ -1,7 +1,7 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: - name: kf-name-ip # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-ip # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} labels: label-one: "value-one" spec: diff --git a/gcp/v2/cnrm/kustomization.yaml b/gcp/v2/cnrm/kustomization.yaml index df1ca4c84..7724bc183 100644 --- a/gcp/v2/cnrm/kustomization.yaml +++ b/gcp/v2/cnrm/kustomization.yaml @@ -5,4 +5,4 @@ resources: - cluster - ingress - iam -- pipelines \ No newline at end of file +- pipelines diff --git a/gcp/v2/cnrm/pipelines/disk.yaml b/gcp/v2/cnrm/pipelines/disk.yaml index 3a7cef741..16839cc0c 100644 --- a/gcp/v2/cnrm/pipelines/disk.yaml +++ b/gcp/v2/cnrm/pipelines/disk.yaml @@ -1,7 +1,7 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeDisk metadata: - name: kf-name-storage-metadata-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-storage-metadata-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: location: us-east1-d # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-east1-d"}}} size: 20 @@ -9,7 +9,7 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeDisk metadata: - name: kf-name-storage-artifact-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}} + name: name-storage-artifact-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}} spec: location: us-east1-d # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-east1-d"}}} size: 200 diff --git a/gcp/v2/management/cluster/cluster.yaml b/gcp/v2/management/cluster/cluster.yaml index 1815f7246..32c31be8c 100644 --- a/gcp/v2/management/cluster/cluster.yaml +++ b/gcp/v2/management/cluster/cluster.yaml @@ -12,7 +12,7 @@ spec: {} apiVersion: container.cnrm.cloud.google.com/v1alpha2 kind: ContainerCluster metadata: - name: cluster-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"cluster-name"}}} + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: # Use a regional cluster. Regional offer higher availability and the cluster management fee is the same. location: us-central1-f diff --git a/gcp/v2/management/cluster/nodepool.yaml b/gcp/v2/management/cluster/nodepool.yaml index e9a0bb65d..6118ddad7 100644 --- a/gcp/v2/management/cluster/nodepool.yaml +++ b/gcp/v2/management/cluster/nodepool.yaml @@ -1,8 +1,8 @@ apiVersion: container.cnrm.cloud.google.com/v1alpha2 kind: ContainerNodePool metadata: - clusterName: "project-id/us-central1-f/cluster-name" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"cluster-name"},{"name":"location","value":"us-central1-f"}]}} - name: cluster-name-pool # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"cluster-name"},{"name":"location","value":"us-central1-f"}]}} + clusterName: "project-id/us-central1-f/name" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1-f"}]}} + name: name-pool # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1-f"}]}} spec: autoscaling: minNodeCount: 1 @@ -25,4 +25,4 @@ spec: autoRepair: true autoUpgrade: true clusterRef: - name: cluster-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"cluster-name"}}} + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} diff --git a/gcp/v2/privateGKE/README.md b/gcp/v2/privateGKE/README.md new file mode 100644 index 000000000..514d7d462 --- /dev/null +++ b/gcp/v2/privateGKE/README.md @@ -0,0 +1,4 @@ +# Private GKE Resoruces + +* This directory contains CNRM patches and resource definitions in order + to deploy Kubeflow on private GKE. \ No newline at end of file diff --git a/gcp/v2/privateGKE/cluster-private-patch.yaml b/gcp/v2/privateGKE/cluster-private-patch.yaml new file mode 100644 index 000000000..b27629002 --- /dev/null +++ b/gcp/v2/privateGKE/cluster-private-patch.yaml @@ -0,0 +1,39 @@ +# A patch to use private GKE clusters +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + clusterName: "project-id/us-central1/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}} + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} +spec: + # https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.PrivateClusterConfig + # This is the least secure config because it allows access to master from all public IPs. + # For alternative options see the above link. + privateClusterConfig: + enablePrivateNodes: true + # We set enablePrivateEndpoint to false because we want a publicly accessible endpoint. + enablePrivateEndpoint: false + # Keep this in sync with the range specified in the allow-egress to master firewall rule. + masterIpv4CidrBlock: 172.16.0.32/28 + # + # TODO(https://github.com/kubeflow/gcp-blueprints/issues/32): Following options don't appear to be supported in CNRM; will private GKE work + # without them? + ipAllocationPolicy: + # Make the cluster VPC Native + useIpAliases: true + createSubnetwork: false + # TODO(jlewi): https://github.com/kubeflow/gcp-blueprints/issues/32 the following fields + # Automatic creation of the subnetwork and its secondary ranges doesn't seem to be possible + # with CNRM. We have an explicit CNRM resource for the subnetwork which we reference + # in subnetworkRef. The names for the secondary resources listed here should map to those + # resources. + clusterSecondaryRangeName: pods + servicesSecondaryRangeName: services + # TODO(jlewi): https://github.com/kubeflow/gcp-blueprints/issues/32 the following fields + # don't seem to be included in CNRM 1.9.1 + #createSubnetwork: true + #subnetworkName: gcp-private-0527 # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"gcp-private-0527"}}} + # Create the clsuter in the private network we created. + networkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + subnetworkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} diff --git a/gcp/v2/privateGKE/compute-network.yaml b/gcp/v2/privateGKE/compute-network.yaml index b6f5d5d99..0ae812ebf 100644 --- a/gcp/v2/privateGKE/compute-network.yaml +++ b/gcp/v2/privateGKE/compute-network.yaml @@ -1,7 +1,7 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeNetwork metadata: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: routingMode: GLOBAL autoCreateSubnetworks: false @@ -10,23 +10,23 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: - name: priv-cluster-01 + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: ipCidrRange: 10.10.10.0/24 - region: us-central1 + region: us-central1 # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.compute.region","value":"us-central1"}}} description: kubeflow private subnet privateIpGoogleAccess: true networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} logConfig: aggregationInterval: INTERVAL_10_MIN flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA secondaryIpRange: - - ipCidrRange: 10.10.11.0/24 - rangeName: services - - ipCidrRange: 10.1.0.0/16 - rangeName: pods + - ipCidrRange: 10.10.11.0/24 + rangeName: services + - ipCidrRange: 10.1.0.0/16 + rangeName: pods --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRoute @@ -35,5 +35,5 @@ metadata: spec: destRange: 199.36.153.4/30 networkRef: - name: gke-no-internet-network - nextHopGateway: default-internet-gateway \ No newline at end of file + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + nextHopGateway: default-internet-gateway diff --git a/gcp/v2/privateGKE/dns-gcr.yaml b/gcp/v2/privateGKE/dns-gcr.yaml index d47b3d351..082227ebf 100644 --- a/gcp/v2/privateGKE/dns-gcr.yaml +++ b/gcp/v2/privateGKE/dns-gcr.yaml @@ -8,8 +8,8 @@ spec: visibility: private privateVisibilityConfig: networks: - - networkRef: - name: gke-no-internet-network + - networkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet @@ -22,7 +22,7 @@ spec: managedZoneRef: name: gcr-io rrdatas: - - "gcr.io." + - "gcr.io." --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet @@ -35,7 +35,7 @@ spec: managedZoneRef: name: gcr-io rrdatas: - - "199.36.153.4" - - "199.36.153.5" - - "199.36.153.6" - - "199.36.153.7" + - "199.36.153.4" + - "199.36.153.5" + - "199.36.153.6" + - "199.36.153.7" diff --git a/gcp/v2/privateGKE/dns-google-apis.yaml b/gcp/v2/privateGKE/dns-google-apis.yaml index fa22536b4..dc48da002 100644 --- a/gcp/v2/privateGKE/dns-google-apis.yaml +++ b/gcp/v2/privateGKE/dns-google-apis.yaml @@ -8,8 +8,8 @@ spec: visibility: private privateVisibilityConfig: networks: - - networkRef: - name: gke-no-internet-network + - networkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet @@ -22,7 +22,7 @@ spec: managedZoneRef: name: google-apis rrdatas: - - "restricted.googleapis.com." + - "restricted.googleapis.com." --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet @@ -35,7 +35,7 @@ spec: managedZoneRef: name: google-apis rrdatas: - - "199.36.153.4" - - "199.36.153.5" - - "199.36.153.6" - - "199.36.153.7" \ No newline at end of file + - "199.36.153.4" + - "199.36.153.5" + - "199.36.153.6" + - "199.36.153.7" diff --git a/gcp/v2/privateGKE/enable-services.yaml b/gcp/v2/privateGKE/enable-services.yaml new file mode 100644 index 000000000..1689e2d2f --- /dev/null +++ b/gcp/v2/privateGKE/enable-services.yaml @@ -0,0 +1,10 @@ +# Enable additional services needed when using cloud DNS +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + # use the deletion policy of abandon to ensure that the pubsub service remains enabled when this resource is deleted. + cnrm.cloud.google.com/deletion-policy: "abandon" + # this is unnecessary with the deletion-policy of 'abandon', but useful if the abandon policy is removed. + cnrm.cloud.google.com/disable-dependent-services: "false" + name: dns.googleapis.com diff --git a/gcp/v2/privateGKE/firewall.yaml b/gcp/v2/privateGKE/firewall.yaml index d2948c7b1..42b44e0db 100644 --- a/gcp/v2/privateGKE/firewall.yaml +++ b/gcp/v2/privateGKE/firewall.yaml @@ -1,95 +1,202 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: deny-egress + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: + description: "Deny all internet traffic by default" deny: - - protocol: tcp - ports: - - "0-65535" + - protocol: tcp + ports: + - "0-65535" destinationRanges: - - 0.0.0.0/0 + - 0.0.0.0/0 direction: EGRESS priority: 1100 networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: allow-healthcheck-ingress + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: + description: "Allow health check ingress" allow: - - protocol: tcp - ports: - - "80" - - "443" + - protocol: tcp + ports: + - "80" + - "443" + # Prober address for health checks: + # https://cloud.google.com/load-balancing/docs/health-checks sourceRanges: - - 130.211.0.0/22 - - 35.191.0.0/16 + - 130.211.0.0/22 + - 35.191.0.0/16 direction: INGRESS networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: allow-healthcheck-egress + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: + description: "Allow health check egress" allow: - - protocol: tcp - ports: - - "80" - - "443" + - protocol: tcp + ports: + - "80" + - "443" + # Prober address for health checks: + # https://cloud.google.com/load-balancing/docs/health-checks destinationRanges: - - 130.211.0.0/22 - - 35.191.0.0/16 + - 130.211.0.0/22 + - 35.191.0.0/16 direction: EGRESS networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: allow-google-apis-egress + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: + description: "Allow egress to google APIs" allow: - - protocol: tcp - ports: - - "0-65535" + - protocol: tcp + ports: + - "0-65535" destinationRanges: - - 199.36.153.4/30 + - 199.36.153.4/30 direction: EGRESS networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: allow-master-node-egress + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: + description: "Allow master node egress" allow: - - protocol: tcp - ports: - - "443" - - "10250" + - protocol: tcp + ports: + - "443" + - "10250" destinationRanges: - - 172.16.0.0/28 + # Keep this in sync with the masterCidrBlock specified in cluster-private-patch.yaml + - 172.16.0.32/28 + # TODO(jlewi): This was a bit of a hack to try to fix failing health checks during cluster + # provisioning. I was seeing packets get blocket. + #- 172.217.0.0/28 + direction: EGRESS networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: allow-internal-egress + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} spec: + description: "Allow traffic to internal ips" allow: - - protocol: tcp - ports: - - "0-65535" + - protocol: tcp + ports: + - "0-65535" destinationRanges: - - 10.0.0.0/8 + - 10.0.0.0/8 + # This rule is needed to ensure that any K8s services running within the cluster are accessible + - 192.168.0.0/16 direction: EGRESS networkRef: - name: gke-no-internet-network + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} +--- +# Per https://istio.io/docs/setup/platform-setup/gke/ +# GKE will not automatically create a rule allowing traffic to the istio side car +# webhook ports so we need to add that. +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} +spec: + allow: + - protocol: tcp + ports: + # In ASM 1.4 the port is 9443. Starting in ASM 1.5 the port is 15017 + - "15017" + - "9443" + sourceRanges: + - 172.16.0.32/28 + direction: INGRESS + networkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} +--- +# Allow traffic to DockerHub so we can pull docker images. +# +# IP addresses can be obtained by running +# 1. nslookup index.dockerhub.io +# 2. nslookup dockerhub.io +# 3. nslookup registry-1.docker.io +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} +spec: + description: "Allow egress to dockerhub and quay.io" + allow: + - protocol: tcp + ports: + - "443" + - "80" + destinationRanges: + # Keep this in sync with the masterCidrBlock specified in cluster-private-patch.yaml + - "3.211.199.249" + - "18.232.227.119" + - "18.213.137.78" + - "23.22.155.84" + - "23.202.231.169" + - "23.217.138.110" + - "52.54.232.21" + - "52.72.232.213" + - "54.85.107.53" + - "54.236.131.166" + - "107.23.149.57" + - "217.70.184.38" + # production.cloudfare.docker.com + - "104.18.121.25" + - "104.18.122.25" + - "104.18.123.25" + - "104.18.124.25" + - "104.18.125.25" + # quay.io + - "3.218.162.19" + - "18.205.55.240" + - "52.202.225.67" + - "54.84.167.150" + - "13.227.47.39" + - "13.227.47.84" + - "13.227.47.105" + # cdn.quay.io + - "13.35.101.24" + - "13.35.101.91" + - "13.35.101.101" + - "13.35.101.104" + direction: EGRESS + networkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + # Enable logging to help debugging + enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}} diff --git a/gcp/v2/privateGKE/kustomization.yaml b/gcp/v2/privateGKE/kustomization.yaml index dac51198e..f3ba93ab0 100644 --- a/gcp/v2/privateGKE/kustomization.yaml +++ b/gcp/v2/privateGKE/kustomization.yaml @@ -1,5 +1,12 @@ +# This kustomization defines additional networking resoruces to setup +# as part of private deployments. +# For more info see: https://medium.com/google-cloud/completely-private-gke-clusters-with-no-internet-connectivity-945fffae1ccd +# N.b cluster-private-patch.yaml isn't included because we don't define the clsuter +# here so we can't patch it. resources: - compute-network.yaml +- enable-services.yaml - dns-gcr.yaml - dns-google-apis.yaml - firewall.yaml +- nat.yaml diff --git a/gcp/v2/privateGKE/nat.yaml b/gcp/v2/privateGKE/nat.yaml new file mode 100644 index 000000000..4174f7010 --- /dev/null +++ b/gcp/v2/privateGKE/nat.yaml @@ -0,0 +1,20 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeRouter +metadata: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} +spec: + description: Router to allow outbound internet access + region: us-central1 # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.compute.region","value":"us-central1"}}} + networkRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeRouterNAT +metadata: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} +spec: + region: us-central1 # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.compute.region","value":"us-central1"}}} + routerRef: + name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}} + natIpAllocateOption: AUTO_ONLY + sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES diff --git a/tests/Makefile b/tests/Makefile index 450644d92..0d8523828 100755 --- a/tests/Makefile +++ b/tests/Makefile @@ -31,6 +31,9 @@ all: test gcp-reset: kpt cfg set ../gcp/v2/ cluster-name cluster-name kpt cfg set ../gcp/v2/ gcloud.core.project project-id + kpt cfg set ../gcp/v2/ gcloud.core.zone ZONE + kpt cfg set ../gcp/v2/ gcloud.core.region REGION + kpt cfg set ../gcp/v2/ name name generate: $(PYTHON_BIN) ../hack/generate_tests.py --all || echo done