Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automation service accounts for k8s-artifacts- buckets #5957

Open
saschagrunert opened this issue Oct 11, 2023 · 17 comments
Open

Automation service accounts for k8s-artifacts- buckets #5957

saschagrunert opened this issue Oct 11, 2023 · 17 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.

Comments

@saschagrunert
Copy link
Member

SIG Release (aka @kubernetes/release-managers) maintains various buckets in the k8s-artifacts-prod project:

It would be good to have a dedicated service account to automatically publish binaries for each tag and repository to avoid manually invocations of kpromo gh.

The tokens could be stored in our 1Password vault.
@saschagrunert saschagrunert added the sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. label Oct 11, 2023
@saschagrunert saschagrunert mentioned this issue Oct 11, 2023
Open
@xmudrii
Copy link
Member

xmudrii commented Oct 11, 2023

+1 as a Release Manager

1 similar comment
@cpanato
Copy link
Member

cpanato commented Oct 11, 2023

+1 as a Release Manager

@ameukam
Copy link
Member

ameukam commented Oct 12, 2023

We could also reuse existing service accounts and grant them permissions to push to those buckets.

@saschagrunert
Copy link
Member Author

We could also reuse existing service accounts and grant them permissions to push to those buckets.

Would it be better security wise to have a dedicated service account per bucket?

@ameukam
Copy link
Member

ameukam commented Oct 12, 2023

We could also reuse existing service accounts and grant them permissions to push to those buckets.

Would it be better security wise to have a dedicated service account per bucket?

it depends on the entities that use these service accounts. As long we are inside the GCP perimeter, IMHO, reuse existing service accounts is fine.
However, it's recommended to use short-lived tokens rather than JSON creds.

@saschagrunert
Copy link
Member Author

However, it's recommended to use short-lived tokens rather than JSON creds.

How would that work, for example when using GitHub actions?

@saschagrunert
Copy link
Member Author

The only service account I can see is [email protected] which has write access to the buckets. Should we use this one?

@xmudrii
Copy link
Member

xmudrii commented Oct 12, 2023

I prefer that we create a new service account, especially because this SA might be used outside Prow (e.g. with GitHub Actions)

@ameukam
Copy link
Member

ameukam commented Oct 13, 2023

However, it's recommended to use short-lived tokens rather than JSON creds.

How would that work, for example when using GitHub actions?

I remember @upodroid mentioned this article. https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions which in resume means the Github Actions will assume an existing SA.

We can start with a new and single SA to cover all the buckets handled by RelEng.

@ameukam
Copy link
Member

ameukam commented Oct 18, 2023

From the convo on Slack, we can start with one single GCP Service Account to handle artifacts publication.

@xmudrii @saschagrunert Feel free to open PR against the repo and I'll actuate it.

@saschagrunert saschagrunert mentioned this issue Oct 19, 2023
Closed
@saschagrunert
Copy link
Member Author

Ref #5997

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 30, 2024
@vaibhav2107
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 23, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 23, 2024
@vaibhav2107
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 8, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 6, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add serviceaccount to prod GCS buckets saschagrunert/k8s.io
7 participants
@saschagrunert @ameukam @cpanato @xmudrii @k8s-ci-robot @k8s-triage-robot @vaibhav2107