Skip to content

fix(gcp): Use IAMPolicyMember for workload identity bindings#1347

Merged
k8s-ci-robot merged 2 commits into
kubeflow:masterfrom
Bobgy:fix_gcp_wi_bindings
Jul 6, 2020
Merged

fix(gcp): Use IAMPolicyMember for workload identity bindings#1347
k8s-ci-robot merged 2 commits into
kubeflow:masterfrom
Bobgy:fix_gcp_wi_bindings

Conversation

@Bobgy

@Bobgy Bobgy commented Jul 6, 2020
edited
Loading

Copy link
Copy Markdown
Contributor

Which issue is resolved by this Pull Request:
Solves GoogleCloudPlatform/kubeflow-distribution#61 (comment)

Description of your changes:
IAMPolicy always overwrites the entire policy for that resource, so it's not possible other services also try to add policies to this resource.
Use IAMPolicyMember for workload identity bindings instead, so that profile controller can work with existing KCC controller on IAMPolicy management.

ref: https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampolicy

Checklist:

  • Unit tests have been rebuilt:
    1. cd manifests/tests
    2. make generate-changed-only
    3. make test

@kubeflow-bot

kubeflow-bot commented Jul 6, 2020

Copy link
Copy Markdown
Contributor

This change is Reviewable

@Bobgy

Bobgy commented Jul 6, 2020

Copy link
Copy Markdown
Contributor Author

/assign @jlewi

@jlewi

jlewi commented Jul 6, 2020

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@k8s-ci-robot

k8s-ci-robot commented Jul 6, 2020

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jlewi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit bad1ffe into kubeflow:master Jul 6, 2020
@Bobgy Bobgy deleted the fix_gcp_wi_bindings branch July 6, 2020 10:11
Bobgy added a commit to Bobgy/manifests that referenced this pull request Jul 6, 2020
@Bobgy
fix(gcp): Use IAMPolicyMember for workload identity bindings (kubeflo…
9fcea1f 
…w#1347)

* fix profile controller iam binding

* rename
@Bobgy Bobgy mentioned this pull request Jul 6, 2020
Merged
k8s-ci-robot pushed a commit that referenced this pull request Jul 6, 2020
@Bobgy
Cherry pick "fix(gcp): Use IAMPolicyMember for workload identity bind…
6ab1e5a 
…ings #1347" (#1349)

* fix profile controller iam binding

* rename
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlewi jlewi Awaiting requested review from jlewi

@krishnadurai krishnadurai Awaiting requested review from krishnadurai

Assignees

@jlewi jlewi

Labels

approved cla: yes lgtm size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Bobgy @kubeflow-bot @jlewi @k8s-ci-robot @googlebot