Open thekoma opened 1 year ago
@bskaplan @qwerjkl112
Service authorization is controlled by IAM which isn't part of the k8s-like Service API. The best option is probably copying Config Connector's format for IAM policies, which we'll have to look into the feasibility of replicating inside Skaffold.
Wouldn't an option in the deploy section suffice? Like
deploy:
cloudrun:
projectid: my-gcp-project
region: us-central1
policy:
- anonymous
Or
policy:
- group:authenticated.group@domain.contoso
- user:user01@domain.contoso
It need to be defined in the skaffold.yaml
not in the knative manifest imho.
@bskaplan did you have any answer for @thekoma's follow up question?
It's possible to do, I'm just not sure if it's something we want in the Skaffold config. We support multiple Cloud Run Services in a single Skaffold deploy, so we'd want to be able to specify the service name in the policy. That means it would end up looking more like this:
deploy:
cloudrun:
projectid: my-gcp-project
region: us-central1
policy:
- serviceName: my-service
members:
- allUsers
- serviceName: my-internal-service
members:
- serviceAccount:my-service-identity@my-gcp-project.iam.gserviceaccount.com
I'll defer to the core team about whether this is something appropriate for the Skaffold config or not.
Imho makes a lot of sense.
Andrea Cervesato
Phone: +39.392.23.80.611 Mail: @.***
On Mon, Apr 3, 2023, 19:28 Benjamin Kaplan @.***> wrote:
It's possible to do, I'm just not sure if it's something we want in the Skaffold config. We support multiple Cloud Run Services in a single Skaffold deploy, so we'd want to be able to specify the service name in the policy. That means it would end up looking more like this:
deploy: cloudrun: projectid: my-gcp-project region: us-central1 policy:
- serviceName: my-service members:
- allUsers
- serviceName: my-internal-service members:
- @.***
I'll defer to the core team about whether this is something appropriate for the Skaffold config or not.
— Reply to this email directly, view it on GitHub https://github.com/GoogleContainerTools/skaffold/issues/8107#issuecomment-1494709300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB4LASSQUU5QYQRAAW63RLW7MCFBANCNFSM6AAAAAASDVU7BI . You are receiving this because you were mentioned.Message ID: @.***>
Expected behavior
Should be possible to specify the service policy and define at lease the Authentication methods (id Required or Anonymous)
Actual behavior
The service is created as default with no configuration (AKA auth on)