solutions/gke/configconnector/gke-cluster-autopilot/service-account.yaml

# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ###### # AC-1 - Implementation of access control # AC-3(7), AC-3 - GCP Service Account # CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE clusters using the Compute Engine default service account # https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: cluster-name-sa # kpt-set: ${cluster-name}-sa namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} spec: displayName: cluster-name-sa # kpt-set: ${cluster-name}-sa --- # AC-3(7), AC-3 - Grant GCP role Logging Log Writer to GCP SA on Service Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-logwriter-permissions # kpt-set: ${cluster-name}-sa-logwriter-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/logging.logWriter member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # AC-3(7), AC-3 - Grant GCP role Monitoring Metric Writer to GCP SA on Service Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-metricwriter-permissions # kpt-set: ${cluster-name}-sa-metricwriter-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/monitoring.metricWriter member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # AC-3(7), AC-3 - Grant GCP role Monitoring Viewer to GCP SA on Service Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-monitoring-viewer-permissions # kpt-set: ${cluster-name}-sa-monitoring-viewer-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/monitoring.viewer member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # AC-3(7), AC-3 - Grant GCP Storage Object Viewer to GCP SA on Service Project for Artifact Registry access apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-storage-object-viewer-permissions # kpt-set: ${cluster-name}-sa-storage-object-viewer-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/storage.objectViewer member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # AC-3(7), AC-3 - Grant stackdriver.resourceMetadata.writer to GCP SA on Service Project for Logging access apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-stackdriver-metadata-writer-permissions # kpt-set: ${cluster-name}-a-stackdriver-metadata-writer-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/stackdriver.resourceMetadata.writer member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # AC-3(7), AC-3 - Grant artifactregistry.reader to GCP SA on Service Project for Artifact Registry access apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-artifactregistry-reader-permissions # kpt-set: ${cluster-name}-sa-artifactregistry-reader-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/artifactregistry.reader member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # AC-3(7), AC-3 - Grant secretmanager.secretAccessor to GCP SA on Service Project for Secret access apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cluster-name-sa-secretmanager-secretaccessor-permissions # kpt-set: ${cluster-name}-sa-secretmanager-secretaccessor-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/secretmanager.secretAccessor member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com --- # TODO: activate once the service account can be used by the control plane # AC-3(7), AC-3 - Grant cloudkms.cryptoKeyEncrypterDecrypter to GCP SA on Service Project for Cloud KMS access # apiVersion: iam.cnrm.cloud.google.com/v1beta1 # kind: IAMPolicyMember # metadata: # name: cluster-name-sa-cloudkms-encrypterdecrypter-permissions # kpt-set: ${cluster-name}-sa-cloudkms-encrypterdecrypter-permissions # namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 # annotations: # cnrm.cloud.google.com/ignore-clusterless: "true" # spec: # resourceRef: # apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 # kind: Project # name: project-id # kpt-set: ${project-id} # namespace: client-name-projects # kpt-set: ${client-name}-projects # role: roles/cloudkms.cryptoKeyEncrypterDecrypter # member: "serviceAccount:cluster-name-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${cluster-name}-sa@${project-id}.iam.gserviceaccount.com # --- # AC-3(7), AC-3 - Grant IAM service account user to Tier3 SA on cluster-name SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-tier3-sa-serviceaccount-user-cluster-name-sa-permissions # kpt-set: ${project-id}-tier3-sa-serviceaccount-user-${cluster-name}-sa-permissions namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount name: cluster-name-sa # kpt-set: ${cluster-name}-sa role: roles/iam.serviceAccountUser member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com

solutions/gke/configconnector/gke-cluster-autopilot/service-account.yaml (136 lines of code) (raw):