Closed cameel closed 5 years ago
The second step must be modify after researched. Roles can not be grant to google cloud clusters. We decide to create three service accounts that will be attach to dev, staging and testnet, mainnet environments. Then, we will add privileges to this service accounts for our "concent-deployer" and "concent-cloud-admin" service accounts.
The solution with service accounts also not works. Problem was solved by granting roles on kubernetes level by using Kubernetes RBAC
.
@bartoszbetka Could your summarize which steps you actually performed? Was it all done exactly as in the description (except for the stuff you mentioned in the comments above) or did you have to do anything differently?
As for Kubernetes - RBAC is fine but I want to have the configuration documented in README. Either put the role configuration here or put it in a file in cloud/
and just mention it in README.
Steps that already done: 1, 2 a) b), 3 a) b) , 4
, where for example a)
is interpret as first dash.
So what about the remaining stuff?
All step already done. Like we decided without:
Remove Editor role from the service accounts listed above.
Golem's people who are not Owners in the organization account on Google Cloud
This task depends on #368. In that issue we have determined which roles we need for our service accounts. Now we need to Configure our Google Cloud project accordingly.
Contact someone who has an
Owner
role in the project and ask him to make the following modifications:concent-deployment-server
.concent-builder
: Concent Deployer privileges.concent-deployment-server
: Concent Cloud Admin privileges.Editor
role from the service accounts listed above.Editor
privileges that look like they were created automatically. Check what is using them and see if lower privileges would be OK. But don't spend too much time on it. It's fine to leave them as is for the time being if they're on machines managed by Google.Viewer
privileges. They only need to view logs and deployment is always performed fromconcent-builder
using its service account.roles/compute.osLogin
role forconcent-builder
machine (see Managing Instance Access Using OS Login; this is necessary for #370).Editor
privileges. They need to be able to do anything our service accounts can. Anything beyond that does not really affect Concent so there's no point in limiting it.roles/compute.osAdminLogin
role forconcent-builder
,concent-deployment-server
and the Geth machines.Owner
s in the organization account on Google Cloud:Viewer
. But it's fine to keep them atOwner
since they own the project anyway and are 100% trusted. The point of lower privileges would be to limit potential damage in case of a credential leak.