fix(deployment): gcp managed storage - add service account to minio and cloudsql proxy deployments for workload identity (#4188)

2020-07-09 18:24:54 +08:00 · 2020-07-09 18:24:54 +08:00 · c5c9739a00
parent e4f4250fa8
commit c5c9739a00
7 changed files with 17 additions and 1 deletions
--- a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml
+++ b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml
@ -14,6 +14,7 @@ spec:
      labels:
        app: cloudsqlproxy
    spec:
+      serviceAccountName: kubeflow-pipelines-cloudsql-proxy
      containers:
        - image: gcr.io/cloudsql-docker/gce-proxy:1.14
          name: cloudsqlproxy
--- a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml
+++ b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubeflow-pipelines-cloudsql-proxy
--- a/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml
+++ b/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml
@ -3,4 +3,5 @@ kind: Kustomization

 resources:
 - cloudsql-proxy-deployment.yaml
- mysql-service.yaml
+- cloudsql-proxy-sa.yaml
+- mysql-service.yaml
--- a/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml
+++ b/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml
@ -3,6 +3,7 @@ kind: Kustomization

 resources:
 - minio-gcs-gateway-deployment.yaml
+- minio-gcs-gateway-sa.yaml
 - minio-gcs-gateway-service.yaml

 secretGenerator:
--- a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml
+++ b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml
@ -15,6 +15,7 @@ spec:
      labels:
        app: minio
    spec:
+      serviceAccountName: kubeflow-pipelines-minio-gcs-gateway
      containers:
        - name: minio
          image: gcr.io/ml-pipeline/minio:RELEASE.2019-08-14T20-37-41Z-license-compliance
--- a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml
+++ b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubeflow-pipelines-minio-gcs-gateway
--- a/manifests/kustomize/gcp-workload-identity-setup.sh
+++ b/manifests/kustomize/gcp-workload-identity-setup.sh
@ -21,6 +21,10 @@ SYSTEM_GSA=${SYSTEM_GSA:-$CLUSTER_NAME-kfp-system}
 USER_GSA=${USER_GSA:-$CLUSTER_NAME-kfp-user}

 # Kubernetes Service Account (KSA)
+# Note, if deploying manifests/kustomize/env/gcp, you can add the following KSAs
+# to the array of SYSTEM_KSA:
+# * kubeflow-pipelines-minio-gcs-gateway needs gcs permissions
+# * kubeflow-pipelines-cloudsql-proxy needs cloudsql permissions
 SYSTEM_KSA=(ml-pipeline-ui ml-pipeline-visualizationserver)
 USER_KSA=(pipeline-runner kubeflow-pipelines-container-builder)