orange-ability-1812
02/26/2024, 7:35 PMserviceAccount:my-project.svc.id.goog[my-k8s-namespace/k8s-sa-name]
and the KSA will automatically have the same permissions as the bound SA in GCP.
My question is if anyone has experience with getting this to work within garden?
The immediate problem is the namespace which is fixed (AFAIK) in the role binding.
There are things like Common Expression Language (CEL) and some additional matching roles that might help but I try not to lean on those too much as its pretty complex.
In lieu of using some cloud feature I was wondering if there might be a way to have something similar to the copySecret
option in the kubernetes
provider for service accounts in Garden.freezing-pharmacist-34446
02/27/2024, 3:23 PM$namespace/$serviceAccount
. So copying the Kubernetes service account to another namespace wouldn't help. To dynamically adjust the GCP IAM policy binding, you could potentially do something like a garden initScript
that updates it every time there is a new namespace. However that would mean that each developer needs the permissions in GCP to update this policy binding.orange-ability-1812
02/27/2024, 9:08 PMorange-ability-1812
02/27/2024, 9:09 PMorange-ability-1812
02/28/2024, 4:01 PMfreezing-pharmacist-34446
02/28/2024, 4:49 PMorange-ability-1812
02/28/2024, 5:11 PM