fix(deployment): gcp managed storage - add service account to minio a…

…nd cloudsql proxy deployments for workload identity (#4188)
kubeflow · Jul 9, 2020 · c5c9739 · c5c9739
1 parent e4f4250
commit c5c9739
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 1 deletion.
diff --git a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: cloudsqlproxy
     spec:
+      serviceAccountName: kubeflow-pipelines-cloudsql-proxy
       containers:
         - image: gcr.io/cloudsql-docker/gce-proxy:1.14
           name: cloudsqlproxy

diff --git a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubeflow-pipelines-cloudsql-proxy
diff --git a/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml b/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml
@@ -3,4 +3,5 @@ kind: Kustomization
 
 resources:
 - cloudsql-proxy-deployment.yaml
-- mysql-service.yaml
+- cloudsql-proxy-sa.yaml
+- mysql-service.yaml
diff --git a/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml b/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 
 resources:
 - minio-gcs-gateway-deployment.yaml
+- minio-gcs-gateway-sa.yaml
 - minio-gcs-gateway-service.yaml
 
 secretGenerator:

diff --git a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: minio
     spec:
+      serviceAccountName: kubeflow-pipelines-minio-gcs-gateway
       containers:
         - name: minio
           image: gcr.io/ml-pipeline/minio:RELEASE.2019-08-14T20-37-41Z-license-compliance

diff --git a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubeflow-pipelines-minio-gcs-gateway
diff --git a/manifests/kustomize/gcp-workload-identity-setup.sh b/manifests/kustomize/gcp-workload-identity-setup.sh
@@ -21,6 +21,10 @@ SYSTEM_GSA=${SYSTEM_GSA:-$CLUSTER_NAME-kfp-system}
 USER_GSA=${USER_GSA:-$CLUSTER_NAME-kfp-user}
 
 # Kubernetes Service Account (KSA)
+# Note, if deploying manifests/kustomize/env/gcp, you can add the following KSAs
+# to the array of SYSTEM_KSA:
+# * kubeflow-pipelines-minio-gcs-gateway needs gcs permissions
+# * kubeflow-pipelines-cloudsql-proxy needs cloudsql permissions
 SYSTEM_KSA=(ml-pipeline-ui ml-pipeline-visualizationserver)
 USER_KSA=(pipeline-runner kubeflow-pipelines-container-builder)