From 24008c1cb7e9d99dba5c3541b2869ad20fd554e5 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 21 Mar 2019 16:28:06 +0100 Subject: [PATCH 01/24] bump the google providers to 2.2.0 --- examples/gke-basic-tiller/main.tf | 4 ++-- examples/gke-regional-public-cluster/main.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/gke-basic-tiller/main.tf b/examples/gke-basic-tiller/main.tf index 990ddb6..b3548ef 100644 --- a/examples/gke-basic-tiller/main.tf +++ b/examples/gke-basic-tiller/main.tf @@ -11,13 +11,13 @@ terraform { } provider "google" { - version = "~> 2.0.0" + version = "~> 2.2.0" project = "${var.project}" region = "${var.region}" } provider "google-beta" { - version = "~> 2.0.0" + version = "~> 2.2.0" project = "${var.project}" region = "${var.region}" } diff --git a/examples/gke-regional-public-cluster/main.tf b/examples/gke-regional-public-cluster/main.tf index 5be1296..5795d3f 100644 --- a/examples/gke-regional-public-cluster/main.tf +++ b/examples/gke-regional-public-cluster/main.tf @@ -11,13 +11,13 @@ terraform { } provider "google" { - version = "~> 2.0.0" + version = "~> 2.2.0" project = "${var.project}" region = "${var.region}" } provider "google-beta" { - version = "~> 2.0.0" + version = "~> 2.2.0" project = "${var.project}" region = "${var.region}" } From 0488ac4c25a626a762c21939c3b61363aba0195f Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 21 Mar 2019 16:28:47 +0100 Subject: [PATCH 02/24] lock the gke version to a known working version. this is temporary --- modules/gke-cluster/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index 1366bfa..54ee65e 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -92,6 +92,7 @@ data "google_compute_subnetwork" "gke_subnetwork" { // Get available master versions in our region to determine the latest version data "google_container_engine_versions" "region" { - region = "${var.region}" - project = "${var.project}" + region = "${var.region}" + project = "${var.project}" + version_prefix = "1.12.5-gke.5" } From e99632735b40f116e2ee569d9cce876193eb9781 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 21 Mar 2019 16:35:51 +0100 Subject: [PATCH 03/24] clarify workaround --- modules/gke-cluster/main.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index 54ee65e..314e129 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -92,7 +92,10 @@ data "google_compute_subnetwork" "gke_subnetwork" { // Get available master versions in our region to determine the latest version data "google_container_engine_versions" "region" { - region = "${var.region}" - project = "${var.project}" + region = "${var.region}" + project = "${var.project}" + + # Note: we are temporarily locking the GKE version to an older version as the current version + # has been disabled by Google. See: https://cloud.google.com/kubernetes-engine/docs/release-notes#march-14-2019 version_prefix = "1.12.5-gke.5" } From e8bbc71fbdc7f3a4951d02d61461f91a909c68b5 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 21 Mar 2019 17:40:15 +0100 Subject: [PATCH 04/24] add an example to demonstrate using a custom service account --- examples/gke-custom-service-account/README.md | 27 ++++ examples/gke-custom-service-account/main.tf | 139 ++++++++++++++++++ .../gke-custom-service-account/outputs.tf | 22 +++ .../gke-custom-service-account/variables.tf | 32 ++++ 4 files changed, 220 insertions(+) create mode 100644 examples/gke-custom-service-account/README.md create mode 100644 examples/gke-custom-service-account/main.tf create mode 100644 examples/gke-custom-service-account/outputs.tf create mode 100644 examples/gke-custom-service-account/variables.tf diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md new file mode 100644 index 0000000..3b90d05 --- /dev/null +++ b/examples/gke-custom-service-account/README.md @@ -0,0 +1,27 @@ +# GKE Custom Service Account + +This example demonstrates how to use a custom, user provided service account + +## Why use Service Accounts? + +Each node in a container cluster is a Compute Engine instance. Therefore, applications running on a container cluster by +default inherit the scopes of the Compute Engine instances to which they are deployed. + +Google Cloud Platform automatically creates a service account named "Compute Engine default service account" and GKE +associates it with the nodes it creates. Depending on how your project is configured, the default service account may or +may not have permissions to use other Cloud Platform APIs. GKE also assigns some limited access scopes to compute instances. +Updating the default service account's permissions or assigning more access scopes to compute instances is not the +recommended way to authenticate to other Cloud Platform services from Pods running on GKE. + +The recommended way to authenticate to Google Cloud Platform services from applications running on GKE is to create your +own service accounts. Ideally you must create a new service account for each application that makes requests to Cloud +Platform APIs. + +## How do you run these examples? + +1. Install [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) v0.10.3 or later. +1. Open `variables.tf`, and fill in any required variables that don't have a +default. +1. Run `terraform get`. +1. Run `terraform plan`. +1. If the plan looks good, run `terraform apply`. diff --git a/examples/gke-custom-service-account/main.tf b/examples/gke-custom-service-account/main.tf new file mode 100644 index 0000000..510a50c --- /dev/null +++ b/examples/gke-custom-service-account/main.tf @@ -0,0 +1,139 @@ +# --------------------------------------------------------------------------------------------------------------------- +# DEPLOY A GKE REGIONAL PUBLIC CLUSTER IN GOOGLE CLOUD +# This is an example of how to use the gke-cluster module to deploy a regional public Kubernetes cluster in GCP with a +# Load Balancer in front of it. +# --------------------------------------------------------------------------------------------------------------------- + +# Use Terraform 0.10.x so that we can take advantage of Terraform GCP functionality as a separate provider via +# https://github.com/terraform-providers/terraform-provider-google +terraform { + required_version = ">= 0.10.3" +} + +provider "google" { + version = "~> 2.2.0" + project = "${var.project}" + region = "${var.region}" +} + +provider "google-beta" { + version = "~> 2.2.0" + project = "${var.project}" + region = "${var.region}" +} + +module "gke_cluster" { + # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you + # to a specific version of the modules, such as the following example: + # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-cluster?ref=v0.0.1" + source = "../../modules/gke-cluster" + + name = "${var.cluster_name}" + + project = "${var.project}" + region = "${var.region}" + network = "${google_compute_network.main.name}" + subnetwork = "${google_compute_subnetwork.main.name}" +} + +# Node Pool + +// Node Pool Resource +resource "google_container_node_pool" "node_pool" { + provider = "google-beta" + + name = "main-pool" + project = "${var.project}" + region = "${var.region}" + cluster = "${module.gke_cluster.name}" + + initial_node_count = "1" + + autoscaling { + min_node_count = "1" + max_node_count = "5" + } + + management { + auto_repair = "true" + auto_upgrade = "true" + } + + node_config { + image_type = "COS" + machine_type = "n1-standard-1" + + labels = { + all-pools-example = "true" + } + + tags = ["main-pool-example"] + disk_size_gb = "30" + disk_type = "pd-standard" + preemptible = false + + service_account = "${google_service_account.cluster_service_account.email}" + + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform", + ] + } + + lifecycle { + ignore_changes = ["initial_node_count"] + } + + timeouts { + create = "30m" + update = "30m" + delete = "30m" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# CREATE A CUSTOM SERVICE ACCOUNT TO USE WITH THE GKE CLUSTER +# --------------------------------------------------------------------------------------------------------------------- + +resource "google_service_account" "cluster_service_account" { + project = "${var.project}" + account_id = "${var.cluster_service_account_name}" + display_name = "${var.cluster_service_account_description}" +} + +# Grant the service account the minimum necessary roles and permissions in order to run the GKE cluster +resource "google_project_iam_member" "cluster_service_account-log_writer" { + project = "${google_service_account.cluster_service_account.project}" + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.cluster_service_account.email}" +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + project = "${google_project_iam_member.cluster_service_account-log_writer.project}" + role = "roles/monitoring.metricWriter" + member = "serviceAccount:${google_service_account.cluster_service_account.email}" +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + project = "${google_project_iam_member.cluster_service_account-metric_writer.project}" + role = "roles/monitoring.viewer" + member = "serviceAccount:${google_service_account.cluster_service_account.email}" +} + +# TODO(rileykarson): Add proper VPC network config once we've made a VPC module +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_compute_network" "main" { + name = "${var.cluster_name}-network-${random_string.suffix.result}" + auto_create_subnetworks = "false" +} + +resource "google_compute_subnetwork" "main" { + name = "${var.cluster_name}-subnetwork-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = "${var.region}" + network = "${google_compute_network.main.self_link}" +} diff --git a/examples/gke-custom-service-account/outputs.tf b/examples/gke-custom-service-account/outputs.tf new file mode 100644 index 0000000..51f473b --- /dev/null +++ b/examples/gke-custom-service-account/outputs.tf @@ -0,0 +1,22 @@ +output "cluster_endpoint" { + description = "The IP address of the cluster master." + sensitive = true + value = "${module.gke_cluster.endpoint}" +} + +output "client_certificate" { + description = "Public certificate used by clients to authenticate to the cluster endpoint." + value = "${module.gke_cluster.client_certificate}" +} + +output "client_key" { + description = "Private key used by clients to authenticate to the cluster endpoint." + sensitive = true + value = "${module.gke_cluster.client_key}" +} + +output "cluster_ca_certificate" { + description = "The public certificate that is the root of trust for the cluster." + sensitive = true + value = "${module.gke_cluster.cluster_ca_certificate}" +} diff --git a/examples/gke-custom-service-account/variables.tf b/examples/gke-custom-service-account/variables.tf new file mode 100644 index 0000000..351ab1f --- /dev/null +++ b/examples/gke-custom-service-account/variables.tf @@ -0,0 +1,32 @@ +# --------------------------------------------------------------------------------------------------------------------- +# REQUIRED PARAMETERS +# These variables are expected to be passed in by the operator +# --------------------------------------------------------------------------------------------------------------------- + +variable "project" { + description = "The name of the GCP Project where all resources will be launched." +} + +variable "region" { + description = "The Region in which all GCP resources will be launched." +} + +# --------------------------------------------------------------------------------------------------------------------- +# OPTIONAL PARAMETERS +# These parameters have reasonable defaults. +# --------------------------------------------------------------------------------------------------------------------- + +variable "cluster_name" { + description = "The name of the Kubernetes cluster." + default = "example-cluster" +} + +variable "cluster_service_account_name" { + description = "The name of the custom service account used for the GKE cluster. This parameter is limited to a maximum of 28 characters." + default = "example-cluster-sa" +} + +variable "cluster_service_account_description" { + description = "The name of the custom service account used for the GKE cluster." + default = "Example GKE Cluster Service Account managed by Terraform" +} From 239bcf3c90fc762ec23fce001afaeb6f58e13441 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 21 Mar 2019 17:42:10 +0100 Subject: [PATCH 05/24] reflow text a bit better --- examples/gke-custom-service-account/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index 3b90d05..0d912c7 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -4,18 +4,18 @@ This example demonstrates how to use a custom, user provided service account ## Why use Service Accounts? -Each node in a container cluster is a Compute Engine instance. Therefore, applications running on a container cluster by -default inherit the scopes of the Compute Engine instances to which they are deployed. +Each node in a container cluster is a Compute Engine instance. Therefore, applications running on a container cluster +by default inherit the scopes of the Compute Engine instances to which they are deployed. Google Cloud Platform automatically creates a service account named "Compute Engine default service account" and GKE -associates it with the nodes it creates. Depending on how your project is configured, the default service account may or -may not have permissions to use other Cloud Platform APIs. GKE also assigns some limited access scopes to compute instances. -Updating the default service account's permissions or assigning more access scopes to compute instances is not the -recommended way to authenticate to other Cloud Platform services from Pods running on GKE. +associates it with the nodes it creates. Depending on how your project is configured, the default service account may +or may not have permissions to use other Cloud Platform APIs. GKE also assigns some limited access scopes to compute +instances. Updating the default service account's permissions or assigning more access scopes to compute instances is +not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. -The recommended way to authenticate to Google Cloud Platform services from applications running on GKE is to create your -own service accounts. Ideally you must create a new service account for each application that makes requests to Cloud -Platform APIs. +The recommended way to authenticate to Google Cloud Platform services from applications running on GKE is to create +your own service accounts. Ideally you must create a new service account for each application that makes requests to +Cloud Platform APIs. ## How do you run these examples? From 3d2e46dd176c90063173312f227fb3b80591afd0 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Thu, 21 Mar 2019 17:58:04 +0100 Subject: [PATCH 06/24] Update examples/gke-custom-service-account/README.md Co-Authored-By: robmorgan --- examples/gke-custom-service-account/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index 0d912c7..0929147 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -4,7 +4,7 @@ This example demonstrates how to use a custom, user provided service account ## Why use Service Accounts? -Each node in a container cluster is a Compute Engine instance. Therefore, applications running on a container cluster +Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster by default inherit the scopes of the Compute Engine instances to which they are deployed. Google Cloud Platform automatically creates a service account named "Compute Engine default service account" and GKE From 70a034354638d965c0baf6eff63f4b12e1830b98 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Thu, 21 Mar 2019 17:58:12 +0100 Subject: [PATCH 07/24] Update examples/gke-custom-service-account/README.md Co-Authored-By: robmorgan --- examples/gke-custom-service-account/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index 0929147..1afd52d 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -9,7 +9,7 @@ by default inherit the scopes of the Compute Engine instances to which they are Google Cloud Platform automatically creates a service account named "Compute Engine default service account" and GKE associates it with the nodes it creates. Depending on how your project is configured, the default service account may -or may not have permissions to use other Cloud Platform APIs. GKE also assigns some limited access scopes to compute +or may not have permissions to use other GCP APIs. GKE also assigns some limited access scopes to compute instances. Updating the default service account's permissions or assigning more access scopes to compute instances is not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. From 4fb048ccce94b40d85093aab6ba8cdf792bb86f2 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Thu, 21 Mar 2019 17:58:19 +0100 Subject: [PATCH 08/24] Update examples/gke-custom-service-account/README.md Co-Authored-By: robmorgan --- examples/gke-custom-service-account/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index 1afd52d..f8022c6 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -7,7 +7,7 @@ This example demonstrates how to use a custom, user provided service account Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster by default inherit the scopes of the Compute Engine instances to which they are deployed. -Google Cloud Platform automatically creates a service account named "Compute Engine default service account" and GKE +Google Cloud Platform (GCP) automatically creates a service account named "Compute Engine default service account" and GKE associates it with the nodes it creates. Depending on how your project is configured, the default service account may or may not have permissions to use other GCP APIs. GKE also assigns some limited access scopes to compute instances. Updating the default service account's permissions or assigning more access scopes to compute instances is From ae6c2415ab370610a523e177afaf736e00ed8f60 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Thu, 21 Mar 2019 17:58:28 +0100 Subject: [PATCH 09/24] Update examples/gke-custom-service-account/README.md Co-Authored-By: robmorgan --- examples/gke-custom-service-account/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index f8022c6..c132a12 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -1,6 +1,6 @@ # GKE Custom Service Account -This example demonstrates how to use a custom, user provided service account +This example demonstrates how to use a custom, user provided service account with your Google Kubernetes Engine (GKE) cluster. ## Why use Service Accounts? From 8b7754ea68f92f222b457cb55c24efa881d397ef Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Thu, 21 Mar 2019 17:58:34 +0100 Subject: [PATCH 10/24] Update examples/gke-custom-service-account/README.md Co-Authored-By: robmorgan --- examples/gke-custom-service-account/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index c132a12..5c43644 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -13,7 +13,7 @@ or may not have permissions to use other GCP APIs. GKE also assigns some limited instances. Updating the default service account's permissions or assigning more access scopes to compute instances is not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. -The recommended way to authenticate to Google Cloud Platform services from applications running on GKE is to create +The recommended way to authenticate to GCP services from applications running on GKE is to create your own service accounts. Ideally you must create a new service account for each application that makes requests to Cloud Platform APIs. From 4f4906d3329385bb439b7c82b61f47edf0948401 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Sun, 24 Mar 2019 12:19:59 +0100 Subject: [PATCH 11/24] improve tests --- test/gke_basic_tiller_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/test/gke_basic_tiller_test.go b/test/gke_basic_tiller_test.go index 89258f3..9bb4bd0 100644 --- a/test/gke_basic_tiller_test.go +++ b/test/gke_basic_tiller_test.go @@ -27,7 +27,6 @@ func TestGKEBasicTiller(t *testing.T) { // os.Setenv("SKIP_create_test_copy_of_examples", "true") // os.Setenv("SKIP_create_terratest_options", "true") // os.Setenv("SKIP_terraform_apply", "true") - // os.Setenv("SKIP_configure_kubectl", "true") // os.Setenv("SKIP_wait_for_workers", "true") // os.Setenv("SKIP_helm_install", "true") // os.Setenv("SKIP_cleanup", "true") From 2873ba509c2617f1717ca23990079e8613c899b2 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Sun, 24 Mar 2019 15:34:07 +0100 Subject: [PATCH 12/24] add a module for creating custom service accounts --- modules/gke-service-account/README.md | 5 +++++ modules/gke-service-account/main.tf | 24 ++++++++++++++++++++++++ modules/gke-service-account/outputs.tf | 7 +++++++ modules/gke-service-account/variables.tf | 22 ++++++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 modules/gke-service-account/README.md create mode 100644 modules/gke-service-account/main.tf create mode 100644 modules/gke-service-account/outputs.tf create mode 100644 modules/gke-service-account/variables.tf diff --git a/modules/gke-service-account/README.md b/modules/gke-service-account/README.md new file mode 100644 index 0000000..1ef3624 --- /dev/null +++ b/modules/gke-service-account/README.md @@ -0,0 +1,5 @@ +# GKE Service Account Module + +The GKE Service Account module is used to create a custom service account for use with a GKE cluster. It is based on +the best practices referenced in this article: +https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform. diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf new file mode 100644 index 0000000..6bcf0f4 --- /dev/null +++ b/modules/gke-service-account/main.tf @@ -0,0 +1,24 @@ +resource "google_service_account" "service_account" { + project = "${var.project}" + account_id = "${var.name}" + display_name = "${var.description}" +} + +# Grant the service account the minimum necessary roles and permissions in order to run the GKE cluster +resource "google_project_iam_member" "service_account-log_writer" { + project = "${google_service_account.service_account.project}" + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.service_account.email}" +} + +resource "google_project_iam_member" "service_account-metric_writer" { + project = "${google_project_iam_member.service_account-log_writer.project}" + role = "roles/monitoring.metricWriter" + member = "serviceAccount:${google_service_account.service_account.email}" +} + +resource "google_project_iam_member" "service_account-monitoring_viewer" { + project = "${google_project_iam_member.service_account-metric_writer.project}" + role = "roles/monitoring.viewer" + member = "serviceAccount:${google_service_account.service_account.email}" +} diff --git a/modules/gke-service-account/outputs.tf b/modules/gke-service-account/outputs.tf new file mode 100644 index 0000000..6efce93 --- /dev/null +++ b/modules/gke-service-account/outputs.tf @@ -0,0 +1,7 @@ +output "email" { + # This may seem redundant with the `name` input, but it serves an important + # purpose. Terraform won't establish a dependency graph without this to interpolate on. + description = "The email address of the custom service account." + + value = "${google_service_account.service_account.email}" +} diff --git a/modules/gke-service-account/variables.tf b/modules/gke-service-account/variables.tf new file mode 100644 index 0000000..1127f07 --- /dev/null +++ b/modules/gke-service-account/variables.tf @@ -0,0 +1,22 @@ +# --------------------------------------------------------------------------------------------------------------------- +# REQUIRED PARAMETERS +# These parameters must be supplied when consuming this module. +# --------------------------------------------------------------------------------------------------------------------- + +variable "project" { + description = "The name of the GCP Project where all resources will be launched." +} + +variable "name" { + description = "The name of the custom service account. This parameter is limited to a maximum of 28 characters." +} + +# --------------------------------------------------------------------------------------------------------------------- +# OPTIONAL PARAMETERS +# These parameters have reasonable defaults. +# --------------------------------------------------------------------------------------------------------------------- + +variable "description" { + description = "The description of the custom service account." + default = "" +} From 03e11731ccf1f98e04e751def28fd53e3f879f46 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Sun, 24 Mar 2019 15:34:57 +0100 Subject: [PATCH 13/24] configure example to use the gke sa module --- examples/gke-custom-service-account/README.md | 5 ++- examples/gke-custom-service-account/main.tf | 36 ++++++------------- .../gke-custom-service-account/variables.tf | 2 +- 3 files changed, 16 insertions(+), 27 deletions(-) diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md index 0d912c7..1ba16e5 100644 --- a/examples/gke-custom-service-account/README.md +++ b/examples/gke-custom-service-account/README.md @@ -1,6 +1,9 @@ # GKE Custom Service Account -This example demonstrates how to use a custom, user provided service account +This example demonstrates how to use a custom service account with a GKE cluster. + +You will need to ensure that the Identity and Access Management (IAM) API has been enabled for the given project. This +can be enabled in the Google API Console: https://console.developers.google.com/apis/api/iam.googleapis.com/overview. ## Why use Service Accounts? diff --git a/examples/gke-custom-service-account/main.tf b/examples/gke-custom-service-account/main.tf index 510a50c..01085b5 100644 --- a/examples/gke-custom-service-account/main.tf +++ b/examples/gke-custom-service-account/main.tf @@ -1,7 +1,7 @@ # --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A GKE REGIONAL PUBLIC CLUSTER IN GOOGLE CLOUD +# DEPLOY A GKE CLUSTER IN GCP WITH A CUSTOM SERVICE ACCOUNT # This is an example of how to use the gke-cluster module to deploy a regional public Kubernetes cluster in GCP with a -# Load Balancer in front of it. +# Load Balancer in front of it. The GKE nodes are configured to use a custom service account. # --------------------------------------------------------------------------------------------------------------------- # Use Terraform 0.10.x so that we can take advantage of Terraform GCP functionality as a separate provider via @@ -72,7 +72,7 @@ resource "google_container_node_pool" "node_pool" { disk_type = "pd-standard" preemptible = false - service_account = "${google_service_account.cluster_service_account.email}" + service_account = "${module.gke_service_account.email}" oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform", @@ -94,29 +94,15 @@ resource "google_container_node_pool" "node_pool" { # CREATE A CUSTOM SERVICE ACCOUNT TO USE WITH THE GKE CLUSTER # --------------------------------------------------------------------------------------------------------------------- -resource "google_service_account" "cluster_service_account" { - project = "${var.project}" - account_id = "${var.cluster_service_account_name}" - display_name = "${var.cluster_service_account_description}" -} - -# Grant the service account the minimum necessary roles and permissions in order to run the GKE cluster -resource "google_project_iam_member" "cluster_service_account-log_writer" { - project = "${google_service_account.cluster_service_account.project}" - role = "roles/logging.logWriter" - member = "serviceAccount:${google_service_account.cluster_service_account.email}" -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - project = "${google_project_iam_member.cluster_service_account-log_writer.project}" - role = "roles/monitoring.metricWriter" - member = "serviceAccount:${google_service_account.cluster_service_account.email}" -} +module "gke_service_account" { + # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you + # to a specific version of the modules, such as the following example: + # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" + source = "../../modules/gke-service-account" -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - project = "${google_project_iam_member.cluster_service_account-metric_writer.project}" - role = "roles/monitoring.viewer" - member = "serviceAccount:${google_service_account.cluster_service_account.email}" + name = "${var.cluster_service_account_name}" + project = "${var.project}" + description = "${var.cluster_service_account_description}" } # TODO(rileykarson): Add proper VPC network config once we've made a VPC module diff --git a/examples/gke-custom-service-account/variables.tf b/examples/gke-custom-service-account/variables.tf index 351ab1f..08f9248 100644 --- a/examples/gke-custom-service-account/variables.tf +++ b/examples/gke-custom-service-account/variables.tf @@ -27,6 +27,6 @@ variable "cluster_service_account_name" { } variable "cluster_service_account_description" { - description = "The name of the custom service account used for the GKE cluster." + description = "A description of the custom service account used for the GKE cluster." default = "Example GKE Cluster Service Account managed by Terraform" } From 72abe8e0f46f02a4841fcf41afa55a8099263a79 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Mon, 25 Mar 2019 17:30:33 +0100 Subject: [PATCH 14/24] fix doc block --- modules/gke-service-account/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/gke-service-account/variables.tf b/modules/gke-service-account/variables.tf index 1127f07..75e6666 100644 --- a/modules/gke-service-account/variables.tf +++ b/modules/gke-service-account/variables.tf @@ -1,5 +1,5 @@ # --------------------------------------------------------------------------------------------------------------------- -# REQUIRED PARAMETERS +# REQUIRED MODULE PARAMETERS # These parameters must be supplied when consuming this module. # --------------------------------------------------------------------------------------------------------------------- @@ -12,7 +12,7 @@ variable "name" { } # --------------------------------------------------------------------------------------------------------------------- -# OPTIONAL PARAMETERS +# OPTIONAL MODULE PARAMETERS # These parameters have reasonable defaults. # --------------------------------------------------------------------------------------------------------------------- From 2b138b3124be6dfd42fead7dce654c4a1c78baec Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 4 Apr 2019 17:50:08 +0200 Subject: [PATCH 15/24] add custom service accounts to the helm and regional-public-cluster example --- examples/gke-basic-tiller/main.tf | 17 ++++++++++++ examples/gke-basic-tiller/variables.tf | 12 ++++++++- .../gke-regional-public-cluster/README.md | 27 ++++++++++++++++--- examples/gke-regional-public-cluster/main.tf | 17 ++++++++++++ .../gke-regional-public-cluster/variables.tf | 12 ++++++++- 5 files changed, 80 insertions(+), 5 deletions(-) diff --git a/examples/gke-basic-tiller/main.tf b/examples/gke-basic-tiller/main.tf index 0e1bcc5..5f79e49 100644 --- a/examples/gke-basic-tiller/main.tf +++ b/examples/gke-basic-tiller/main.tf @@ -112,6 +112,8 @@ resource "google_container_node_pool" "node_pool" { disk_type = "pd-standard" preemptible = false + service_account = "${module.gke_service_account.email}" + oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform", ] @@ -128,6 +130,21 @@ resource "google_container_node_pool" "node_pool" { } } +# --------------------------------------------------------------------------------------------------------------------- +# CREATE A CUSTOM SERVICE ACCOUNT TO USE WITH THE GKE CLUSTER +# --------------------------------------------------------------------------------------------------------------------- + +module "gke_service_account" { + # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you + # to a specific version of the modules, such as the following example: + # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" + source = "../../modules/gke-service-account" + + name = "${var.cluster_service_account_name}" + project = "${var.project}" + description = "${var.cluster_service_account_description}" +} + # TODO(rileykarson): Add proper VPC network config once we've made a VPC module resource "random_string" "suffix" { length = 4 diff --git a/examples/gke-basic-tiller/variables.tf b/examples/gke-basic-tiller/variables.tf index 43e3d85..4b601d3 100644 --- a/examples/gke-basic-tiller/variables.tf +++ b/examples/gke-basic-tiller/variables.tf @@ -1,6 +1,6 @@ # --------------------------------------------------------------------------------------------------------------------- # REQUIRED PARAMETERS -# These variables are expected to be passed in by the operator +# These variables are expected to be passed in by the operator. # --------------------------------------------------------------------------------------------------------------------- variable "project" { @@ -51,6 +51,16 @@ variable "cluster_name" { default = "example-cluster" } +variable "cluster_service_account_name" { + description = "The name of the custom service account used for the GKE cluster. This parameter is limited to a maximum of 28 characters." + default = "example-cluster-sa" +} + +variable "cluster_service_account_description" { + description = "A description of the custom service account used for the GKE cluster." + default = "Example GKE Cluster Service Account managed by Terraform" +} + # TLS algorithm configuration variable "private_key_algorithm" { diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index c70f507..abbd0dd 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -13,11 +13,32 @@ By default, regional clusters will create nodes across 3 zones in a region. If you're interested in how nodes are distributed in regional clusters, read the GCP docs about [balancing across zones](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-autoscaler#balancing_across_zones). -Nodes in a public cluster are accessible from the public internet; try using a +The example follows best-practices and runs nodes using a custom service account to follow the principle of +least privilege. However you will need to ensure that the Identity and Access Management (IAM) API has been +enabled for the given project. This can be enabled in the Google API Console: +https://console.developers.google.com/apis/api/iam.googleapis.com/overview. See "Why use Custom Service +Accounts?" for more information. + +**Important:** Nodes in a public cluster are accessible from the public internet; try using a private cluster such as in [`gke-regional-private-cluster`](../gke-regional-private-cluster) to limit access to/from your nodes. Private clusters are recommended for running most apps and services. +## Why use Custom Service Accounts? + +Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster +by default inherit the scopes of the Compute Engine instances to which they are deployed. + +Google Cloud Platform (GCP) automatically creates a service account named "Compute Engine default service account" and GKE +associates it with the nodes it creates. Depending on how your project is configured, the default service account may +or may not have permissions to use other GCP APIs. GKE also assigns some limited access scopes to compute +instances. Updating the default service account's permissions or assigning more access scopes to compute instances is +not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. + +The recommended way to authenticate to GCP services from applications running on GKE is to create +your own service accounts. Ideally you must create a new service account for each application that makes requests to +Cloud Platform APIs. + ## Limitations No region shares GPU types across all of their zones; you will need to @@ -30,8 +51,8 @@ region your cluster is present in. ## How do you run these examples? 1. Install [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) v0.10.3 or later. -1. Open `variables.tf`, and fill in any required variables that don't have a -default. +1. Open `variables.tf`, and fill in any required variables that don't have a + default. 1. Run `terraform get`. 1. Run `terraform plan`. 1. If the plan looks good, run `terraform apply`. diff --git a/examples/gke-regional-public-cluster/main.tf b/examples/gke-regional-public-cluster/main.tf index 122daba..2c34186 100644 --- a/examples/gke-regional-public-cluster/main.tf +++ b/examples/gke-regional-public-cluster/main.tf @@ -77,6 +77,8 @@ resource "google_container_node_pool" "node_pool" { disk_type = "pd-standard" preemptible = false + service_account = "${module.gke_service_account.email}" + oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform", ] @@ -93,6 +95,21 @@ resource "google_container_node_pool" "node_pool" { } } +# --------------------------------------------------------------------------------------------------------------------- +# CREATE A CUSTOM SERVICE ACCOUNT TO USE WITH THE GKE CLUSTER +# --------------------------------------------------------------------------------------------------------------------- + +module "gke_service_account" { + # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you + # to a specific version of the modules, such as the following example: + # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" + source = "../../modules/gke-service-account" + + name = "${var.cluster_service_account_name}" + project = "${var.project}" + description = "${var.cluster_service_account_description}" +} + # TODO(rileykarson): Add proper VPC network config once we've made a VPC module resource "random_string" "suffix" { length = 4 diff --git a/examples/gke-regional-public-cluster/variables.tf b/examples/gke-regional-public-cluster/variables.tf index 909ed97..63e227b 100644 --- a/examples/gke-regional-public-cluster/variables.tf +++ b/examples/gke-regional-public-cluster/variables.tf @@ -1,6 +1,6 @@ # --------------------------------------------------------------------------------------------------------------------- # REQUIRED PARAMETERS -# These variables are expected to be passed in by the operator +# These variables are expected to be passed in by the operator. # --------------------------------------------------------------------------------------------------------------------- variable "project" { @@ -20,3 +20,13 @@ variable "cluster_name" { description = "The name of the Kubernetes cluster." default = "example-cluster" } + +variable "cluster_service_account_name" { + description = "The name of the custom service account used for the GKE cluster. This parameter is limited to a maximum of 28 characters." + default = "example-cluster-sa" +} + +variable "cluster_service_account_description" { + description = "A description of the custom service account used for the GKE cluster." + default = "Example GKE Cluster Service Account managed by Terraform" +} From 94c28d584f13363e12e9cdc8a336cd92478b7c9a Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 4 Apr 2019 17:55:52 +0200 Subject: [PATCH 16/24] remove dedicated example for custom service accounts --- examples/gke-custom-service-account/README.md | 30 ----- examples/gke-custom-service-account/main.tf | 125 ------------------ .../gke-custom-service-account/outputs.tf | 22 --- .../gke-custom-service-account/variables.tf | 32 ----- 4 files changed, 209 deletions(-) delete mode 100644 examples/gke-custom-service-account/README.md delete mode 100644 examples/gke-custom-service-account/main.tf delete mode 100644 examples/gke-custom-service-account/outputs.tf delete mode 100644 examples/gke-custom-service-account/variables.tf diff --git a/examples/gke-custom-service-account/README.md b/examples/gke-custom-service-account/README.md deleted file mode 100644 index 5512c23..0000000 --- a/examples/gke-custom-service-account/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# GKE Custom Service Account - -This example demonstrates how to use a custom, user provided service account with your Google Kubernetes Engine (GKE) cluster. - -You will need to ensure that the Identity and Access Management (IAM) API has been enabled for the given project. This -can be enabled in the Google API Console: https://console.developers.google.com/apis/api/iam.googleapis.com/overview. - -## Why use Service Accounts? - -Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster -by default inherit the scopes of the Compute Engine instances to which they are deployed. - -Google Cloud Platform (GCP) automatically creates a service account named "Compute Engine default service account" and GKE -associates it with the nodes it creates. Depending on how your project is configured, the default service account may -or may not have permissions to use other GCP APIs. GKE also assigns some limited access scopes to compute -instances. Updating the default service account's permissions or assigning more access scopes to compute instances is -not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. - -The recommended way to authenticate to GCP services from applications running on GKE is to create -your own service accounts. Ideally you must create a new service account for each application that makes requests to -Cloud Platform APIs. - -## How do you run these examples? - -1. Install [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) v0.10.3 or later. -1. Open `variables.tf`, and fill in any required variables that don't have a -default. -1. Run `terraform get`. -1. Run `terraform plan`. -1. If the plan looks good, run `terraform apply`. diff --git a/examples/gke-custom-service-account/main.tf b/examples/gke-custom-service-account/main.tf deleted file mode 100644 index 01085b5..0000000 --- a/examples/gke-custom-service-account/main.tf +++ /dev/null @@ -1,125 +0,0 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A GKE CLUSTER IN GCP WITH A CUSTOM SERVICE ACCOUNT -# This is an example of how to use the gke-cluster module to deploy a regional public Kubernetes cluster in GCP with a -# Load Balancer in front of it. The GKE nodes are configured to use a custom service account. -# --------------------------------------------------------------------------------------------------------------------- - -# Use Terraform 0.10.x so that we can take advantage of Terraform GCP functionality as a separate provider via -# https://github.com/terraform-providers/terraform-provider-google -terraform { - required_version = ">= 0.10.3" -} - -provider "google" { - version = "~> 2.2.0" - project = "${var.project}" - region = "${var.region}" -} - -provider "google-beta" { - version = "~> 2.2.0" - project = "${var.project}" - region = "${var.region}" -} - -module "gke_cluster" { - # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you - # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-cluster?ref=v0.0.1" - source = "../../modules/gke-cluster" - - name = "${var.cluster_name}" - - project = "${var.project}" - region = "${var.region}" - network = "${google_compute_network.main.name}" - subnetwork = "${google_compute_subnetwork.main.name}" -} - -# Node Pool - -// Node Pool Resource -resource "google_container_node_pool" "node_pool" { - provider = "google-beta" - - name = "main-pool" - project = "${var.project}" - region = "${var.region}" - cluster = "${module.gke_cluster.name}" - - initial_node_count = "1" - - autoscaling { - min_node_count = "1" - max_node_count = "5" - } - - management { - auto_repair = "true" - auto_upgrade = "true" - } - - node_config { - image_type = "COS" - machine_type = "n1-standard-1" - - labels = { - all-pools-example = "true" - } - - tags = ["main-pool-example"] - disk_size_gb = "30" - disk_type = "pd-standard" - preemptible = false - - service_account = "${module.gke_service_account.email}" - - oauth_scopes = [ - "https://www.googleapis.com/auth/cloud-platform", - ] - } - - lifecycle { - ignore_changes = ["initial_node_count"] - } - - timeouts { - create = "30m" - update = "30m" - delete = "30m" - } -} - -# --------------------------------------------------------------------------------------------------------------------- -# CREATE A CUSTOM SERVICE ACCOUNT TO USE WITH THE GKE CLUSTER -# --------------------------------------------------------------------------------------------------------------------- - -module "gke_service_account" { - # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you - # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" - source = "../../modules/gke-service-account" - - name = "${var.cluster_service_account_name}" - project = "${var.project}" - description = "${var.cluster_service_account_description}" -} - -# TODO(rileykarson): Add proper VPC network config once we've made a VPC module -resource "random_string" "suffix" { - length = 4 - special = false - upper = false -} - -resource "google_compute_network" "main" { - name = "${var.cluster_name}-network-${random_string.suffix.result}" - auto_create_subnetworks = "false" -} - -resource "google_compute_subnetwork" "main" { - name = "${var.cluster_name}-subnetwork-${random_string.suffix.result}" - ip_cidr_range = "10.0.0.0/17" - region = "${var.region}" - network = "${google_compute_network.main.self_link}" -} diff --git a/examples/gke-custom-service-account/outputs.tf b/examples/gke-custom-service-account/outputs.tf deleted file mode 100644 index 51f473b..0000000 --- a/examples/gke-custom-service-account/outputs.tf +++ /dev/null @@ -1,22 +0,0 @@ -output "cluster_endpoint" { - description = "The IP address of the cluster master." - sensitive = true - value = "${module.gke_cluster.endpoint}" -} - -output "client_certificate" { - description = "Public certificate used by clients to authenticate to the cluster endpoint." - value = "${module.gke_cluster.client_certificate}" -} - -output "client_key" { - description = "Private key used by clients to authenticate to the cluster endpoint." - sensitive = true - value = "${module.gke_cluster.client_key}" -} - -output "cluster_ca_certificate" { - description = "The public certificate that is the root of trust for the cluster." - sensitive = true - value = "${module.gke_cluster.cluster_ca_certificate}" -} diff --git a/examples/gke-custom-service-account/variables.tf b/examples/gke-custom-service-account/variables.tf deleted file mode 100644 index 08f9248..0000000 --- a/examples/gke-custom-service-account/variables.tf +++ /dev/null @@ -1,32 +0,0 @@ -# --------------------------------------------------------------------------------------------------------------------- -# REQUIRED PARAMETERS -# These variables are expected to be passed in by the operator -# --------------------------------------------------------------------------------------------------------------------- - -variable "project" { - description = "The name of the GCP Project where all resources will be launched." -} - -variable "region" { - description = "The Region in which all GCP resources will be launched." -} - -# --------------------------------------------------------------------------------------------------------------------- -# OPTIONAL PARAMETERS -# These parameters have reasonable defaults. -# --------------------------------------------------------------------------------------------------------------------- - -variable "cluster_name" { - description = "The name of the Kubernetes cluster." - default = "example-cluster" -} - -variable "cluster_service_account_name" { - description = "The name of the custom service account used for the GKE cluster. This parameter is limited to a maximum of 28 characters." - default = "example-cluster-sa" -} - -variable "cluster_service_account_description" { - description = "A description of the custom service account used for the GKE cluster." - default = "Example GKE Cluster Service Account managed by Terraform" -} From 889e72ad7573c5ea001c6b3a95a572568c803eb9 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 4 Apr 2019 19:23:05 +0200 Subject: [PATCH 17/24] [skip ci] tweak readme as per rileys request --- examples/gke-regional-public-cluster/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index abbd0dd..dd917c2 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -29,16 +29,16 @@ most apps and services. Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster by default inherit the scopes of the Compute Engine instances to which they are deployed. -Google Cloud Platform (GCP) automatically creates a service account named "Compute Engine default service account" and GKE +The recommended way to authenticate to GCP services from applications running on GKE is to create +your own service accounts. Ideally you must create a new service account for each application that makes requests to +Cloud Platform APIs. + +By default, GCP automatically creates a service account named "Compute Engine default service account" and GKE associates it with the nodes it creates. Depending on how your project is configured, the default service account may or may not have permissions to use other GCP APIs. GKE also assigns some limited access scopes to compute instances. Updating the default service account's permissions or assigning more access scopes to compute instances is not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. -The recommended way to authenticate to GCP services from applications running on GKE is to create -your own service accounts. Ideally you must create a new service account for each application that makes requests to -Cloud Platform APIs. - ## Limitations No region shares GPU types across all of their zones; you will need to From 54102422e861eb24344cbe3c5d68737ef48e5d36 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 4 Apr 2019 19:51:22 +0200 Subject: [PATCH 18/24] [skip ci] rephrase text a bit --- examples/gke-regional-public-cluster/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index dd917c2..c5efc14 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -34,10 +34,12 @@ your own service accounts. Ideally you must create a new service account for eac Cloud Platform APIs. By default, GCP automatically creates a service account named "Compute Engine default service account" and GKE -associates it with the nodes it creates. Depending on how your project is configured, the default service account may -or may not have permissions to use other GCP APIs. GKE also assigns some limited access scopes to compute -instances. Updating the default service account's permissions or assigning more access scopes to compute instances is -not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. +associates it with the nodes it creates. Depending on how your project is configured, the default service account comes +pre-configured with project-wide permissions meaning that any given node will have access to every service every other +node has. Updating the default service account's permissions or assigning more access scopes to compute instances is +not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. In general, we +recommend using a per-node pool or per-cluster custom service account to allow you to more granularly restrict those +permissions. ## Limitations From 1bf76c58690c343af29811405869a636820e8bcf Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Fri, 5 Apr 2019 00:08:19 +0200 Subject: [PATCH 19/24] Update examples/gke-regional-public-cluster/README.md Co-Authored-By: robmorgan --- examples/gke-regional-public-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index c5efc14..376c4ab 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -30,7 +30,7 @@ Each node in a GKE cluster is a Compute Engine instance. Therefore, applications by default inherit the scopes of the Compute Engine instances to which they are deployed. The recommended way to authenticate to GCP services from applications running on GKE is to create -your own service accounts. Ideally you must create a new service account for each application that makes requests to +your own service accounts. Ideally you must create a new service account for each application/service that makes requests to Cloud Platform APIs. By default, GCP automatically creates a service account named "Compute Engine default service account" and GKE From 015283dd825ae0ce06da2ef461818338e990fb1e Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Fri, 5 Apr 2019 00:13:26 +0200 Subject: [PATCH 20/24] Update examples/gke-regional-public-cluster/README.md Co-Authored-By: robmorgan --- examples/gke-regional-public-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index 376c4ab..70f98ce 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -27,7 +27,7 @@ most apps and services. ## Why use Custom Service Accounts? Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster -by default inherit the scopes of the Compute Engine instances to which they are deployed. +inherit the scopes of the Compute Engine instances to which they are deployed. The recommended way to authenticate to GCP services from applications running on GKE is to create your own service accounts. Ideally you must create a new service account for each application/service that makes requests to From 61b98f6214237f59a88570b8b4047403f4390683 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Fri, 5 Apr 2019 00:14:20 +0200 Subject: [PATCH 21/24] Update examples/gke-regional-public-cluster/README.md Co-Authored-By: robmorgan --- examples/gke-regional-public-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index 70f98ce..0012fd5 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -33,7 +33,7 @@ The recommended way to authenticate to GCP services from applications running on your own service accounts. Ideally you must create a new service account for each application/service that makes requests to Cloud Platform APIs. -By default, GCP automatically creates a service account named "Compute Engine default service account" and GKE +GCP automatically creates a default service account, the "Compute Engine default service account" that GKE associates it with the nodes it creates. Depending on how your project is configured, the default service account comes pre-configured with project-wide permissions meaning that any given node will have access to every service every other node has. Updating the default service account's permissions or assigning more access scopes to compute instances is From 704bb46571804e6106e856f5f8df01907dca3b4e Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Fri, 5 Apr 2019 00:14:33 +0200 Subject: [PATCH 22/24] Update examples/gke-regional-public-cluster/README.md Co-Authored-By: robmorgan --- examples/gke-regional-public-cluster/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/gke-regional-public-cluster/README.md b/examples/gke-regional-public-cluster/README.md index 0012fd5..939f657 100644 --- a/examples/gke-regional-public-cluster/README.md +++ b/examples/gke-regional-public-cluster/README.md @@ -34,7 +34,7 @@ your own service accounts. Ideally you must create a new service account for eac Cloud Platform APIs. GCP automatically creates a default service account, the "Compute Engine default service account" that GKE -associates it with the nodes it creates. Depending on how your project is configured, the default service account comes +associates it with the nodes it creates by default. Depending on how your project is configured, the default service account comes pre-configured with project-wide permissions meaning that any given node will have access to every service every other node has. Updating the default service account's permissions or assigning more access scopes to compute instances is not the recommended way to authenticate to other Cloud Platform services from Pods running on GKE. In general, we From 48df1ac5355e5eaa4dfc893c3ca3f07d323ce6d7 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Fri, 5 Apr 2019 00:14:44 +0200 Subject: [PATCH 23/24] Update modules/gke-service-account/README.md Co-Authored-By: robmorgan --- modules/gke-service-account/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/gke-service-account/README.md b/modules/gke-service-account/README.md index 1ef3624..6b6fd78 100644 --- a/modules/gke-service-account/README.md +++ b/modules/gke-service-account/README.md @@ -1,5 +1,5 @@ # GKE Service Account Module -The GKE Service Account module is used to create a custom service account for use with a GKE cluster. It is based on +The GKE Service Account module is used to create a GCP service account for use with a GKE cluster. It is based on the best practices referenced in this article: https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform. From f7ea2a1525ee60d0765b9d05320f261358b07847 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Fri, 5 Apr 2019 11:20:57 +0200 Subject: [PATCH 24/24] remove pinning to 1.12.5-gke.5 --- examples/gke-basic-tiller/main.tf | 3 --- examples/gke-public-cluster/main.tf | 3 --- 2 files changed, 6 deletions(-) diff --git a/examples/gke-basic-tiller/main.tf b/examples/gke-basic-tiller/main.tf index 78427a5..06e19a0 100644 --- a/examples/gke-basic-tiller/main.tf +++ b/examples/gke-basic-tiller/main.tf @@ -66,9 +66,6 @@ module "gke_cluster" { name = "${var.cluster_name}" - // TODO(rileykarson): Update this when a new version comes out - kubernetes_version = "1.12.5-gke.5" - project = "${var.project}" location = "${var.location}" network = "${google_compute_network.main.name}" diff --git a/examples/gke-public-cluster/main.tf b/examples/gke-public-cluster/main.tf index d8081bf..7cce150 100644 --- a/examples/gke-public-cluster/main.tf +++ b/examples/gke-public-cluster/main.tf @@ -30,9 +30,6 @@ module "gke_cluster" { name = "${var.cluster_name}" - // TODO(rileykarson): Update this when a new version comes out - kubernetes_version = "1.12.5-gke.5" - project = "${var.project}" location = "${var.location}" network = "${google_compute_network.main.name}"