k8s.io icon indicating copy to clipboard operation
k8s.io copied to clipboard
verified publisher icon kubernetes

Automation service accounts for `k8s-artifacts-` buckets

Open saschagrunert opened this issue 2 years ago • 17 comments

SIG Release (aka @kubernetes/release-managers) maintains various buckets in the k8s-artifacts-prod project:

It would be good to have a dedicated service account to automatically publish binaries for each tag and repository to avoid manually invocations of kpromo gh.

The tokens could be stored in our 1Password vault.

saschagrunert avatar Oct 11 '23 08:10 saschagrunert

+1 as a Release Manager

xmudrii avatar Oct 11 '23 09:10 xmudrii

+1 as a Release Manager

cpanato avatar Oct 11 '23 09:10 cpanato

We could also reuse existing service accounts and grant them permissions to push to those buckets.

ameukam avatar Oct 12 '23 04:10 ameukam

We could also reuse existing service accounts and grant them permissions to push to those buckets.

Would it be better security wise to have a dedicated service account per bucket?

saschagrunert avatar Oct 12 '23 06:10 saschagrunert

We could also reuse existing service accounts and grant them permissions to push to those buckets.

Would it be better security wise to have a dedicated service account per bucket?

it depends on the entities that use these service accounts. As long we are inside the GCP perimeter, IMHO, reuse existing service accounts is fine. However, it's recommended to use short-lived tokens rather than JSON creds.

ameukam avatar Oct 12 '23 07:10 ameukam

However, it's recommended to use short-lived tokens rather than JSON creds.

How would that work, for example when using GitHub actions?

saschagrunert avatar Oct 12 '23 08:10 saschagrunert

The only service account I can see is [email protected] which has write access to the buckets. Should we use this one?

saschagrunert avatar Oct 12 '23 10:10 saschagrunert

I prefer that we create a new service account, especially because this SA might be used outside Prow (e.g. with GitHub Actions)

xmudrii avatar Oct 12 '23 13:10 xmudrii

However, it's recommended to use short-lived tokens rather than JSON creds.

How would that work, for example when using GitHub actions?

I remember @upodroid mentioned this article. https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions which in resume means the Github Actions will assume an existing SA.

We can start with a new and single SA to cover all the buckets handled by RelEng.

ameukam avatar Oct 13 '23 03:10 ameukam

From the convo on Slack, we can start with one single GCP Service Account to handle artifacts publication.

@xmudrii @saschagrunert Feel free to open PR against the repo and I'll actuate it.

ameukam avatar Oct 18 '23 08:10 ameukam

Ref https://github.com/kubernetes/k8s.io/pull/5997

saschagrunert avatar Oct 19 '23 08:10 saschagrunert

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 30 '24 16:01 k8s-triage-robot

/remove-lifecycle stale

vaibhav2107 avatar Feb 23 '24 10:02 vaibhav2107

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 23 '24 10:05 k8s-triage-robot

/remove-lifecycle stale

vaibhav2107 avatar Jun 08 '24 19:06 vaibhav2107

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 06 '24 19:09 k8s-triage-robot