k8s-staging-kubernetes GCB service account needs access to Google staging/prod GCS and GCR #1176
Comments
justaugustus
added
kind/feature
|
/assign @justaugustus @listx |
|
From Slack DM w/ @thockin, @justaugustus, @listx, @tpepper: "A domain restriction organization policy is in place. Only members of allowed domains can be added as members of the policy" This is why we need to move to community hands. The existing permission predates the policy enforcement. We can leave the GCB in the existing project and let that push to new staging GCR and old GCS (since that grant exists) and use that as fuel to justify the GCS promotion process or at least an equivalent backfill-and-VDF process to new-prod GCS |
|
Closed as WONTFIX, based on the domain restriction policy. |
|
/close |
|
@justaugustus: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Grant the 'kubernetes-release-test' Cloud Build account write access to
the container artifacts GCS location for 'k8s-staging-kubernetes'
('gs://artifacts.k8s-staging-kubernetes.appspot.com').
This currently is a requirement as a domain restriction organization
policy is in place on the Google Infra projects, which prevents us from
completely moving staging to K8s Infra until dl.k8s.io is moved as well.
ref: kubernetes/release#1176
Signed-off-by: Stephen Augustus <[email protected]>
Grant the 'kubernetes-release-test' Cloud Build account write access to
the container artifacts GCS location for 'k8s-staging-kubernetes'
('gs://artifacts.k8s-staging-kubernetes.appspot.com').
This currently is a requirement as a domain restriction organization
policy is in place on the Google Infra projects, which prevents us from
completely moving staging to K8s Infra until dl.k8s.io is moved as well.
ref: kubernetes/release#1176
Signed-off-by: Stephen Augustus <[email protected]>
Grant the 'kubernetes-release-test' Cloud Build account write access to
the container artifacts GCS location for 'k8s-staging-kubernetes'
('gs://artifacts.k8s-staging-kubernetes.appspot.com').
This currently is a requirement as a domain restriction organization
policy is in place on the Google Infra projects, which prevents us from
completely moving staging to K8s Infra until dl.k8s.io is moved as well.
ref: kubernetes/release#1176
Signed-off-by: Stephen Augustus <[email protected]>
What would you like to be added:
The
k8s-staging-kubernetesGCB service account ([email protected]) needs access to write to GCS buckets in Google-infra staging and production projects.kubernetes-release-testproject)Storage Adminfor staginggoogle-containersproject)Why is this needed:
We're moving GCB jobs to run in the new staging projects as an intermediary step before the k8s.gcr.io vanity domain flip (#270), so the
k8s-staging-kubernetesGCB service account will need the same permissions to write to GCS and GCR as thekubernetes-release-testGCB account does.The text was updated successfully, but these errors were encountered: