Open bertinatto opened 5 months ago
CC @msau42 @mattcary
I'm not sure. It may not be necessary. If we run through the e2e without it, it's probably ok --- one would have to set up an external (non-gke) deployment and a service account without the role and see if it works.
On Mon, May 6, 2024 at 12:33 PM Fabio Bertinatto @.***> wrote:
CC @msau42 https://github.com/msau42 @mattcary https://github.com/mattcary
— Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700#issuecomment-2096762647, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJCBADCEB6VOLZPPSGLQJDZA7LKLAVCNFSM6AAAAABHJSYEBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWG43DENRUG4 . You are receiving this because you were mentioned.Message ID: <kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700/ 2096762647 @.***>
I'm not sure. It may not be necessary. If we run through the e2e without it, it's probably ok --- one would have to set up an external (non-gke) deployment and a service account without the role and see if it works. … On Mon, May 6, 2024 at 12:33 PM Fabio Bertinatto @.> wrote: CC @msau42 https://github.com/msau42 @mattcary https://github.com/mattcary — Reply to this email directly, view it on GitHub <#1700 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJCBADCEB6VOLZPPSGLQJDZA7LKLAVCNFSM6AAAAABHJSYEBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWG43DENRUG4 . You are receiving this because you were mentioned.Message ID: <kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700/ 2096762647 @.>
Thanks, @mattcary.
I tried that in our CI, but without the iam.serviceAccountUser role the driver was unable to attach volumes:
E0507 13:03:06.933158 1 utils.go:402] Failed to Attach: failed when waiting for zonal op: rpc error: code = Internal desc = operation operation-1715086983149-617dcce63b8a7-4c592a11-e0d4bf73 failed (SERVICE_ACCOUNT_ACCESS_DENIED): The user does not have access to service account 'ci-op-2vymnqnc-b8c57-bhqzt-w@openshift-gce-devel-ci.iam.gserviceaccount.com'. User: 'ci-op-2vymnq-openshift-g-b9qcf@openshift-gce-devel-ci.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
I0507 13:03:06.934176 1 controller.go:540] For node projects/openshift-gce-devel-ci/zones/us-central1-c/instances/ci-op-2vymnqnc-b8c57-bhqzt-worker-c-ksqj9 adding backoff due to error for volume projects/openshift-gce-devel-ci/zones/us-central1-c/disks/pvc-d4e1847b-6eeb-4771-aa73-d6d1c2961c56: rpc error: code = Internal desc = Failed to Attach: failed when waiting for zonal op: rpc error: code = Internal desc = operation operation-1715086983149-617dcce63b8a7-4c592a11-e0d4bf73 failed (SERVICE_ACCOUNT_ACCESS_DENIED): The user does not have access to service account 'ci-op-2vymnqnc-b8c57-bhqzt-w@openshift-gce-devel-ci.iam.gserviceaccount.com'. User: 'ci-op-2vymnq-openshift-g-b9qcf@openshift-gce-devel-ci.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
Is there a more granular permission we could use instead? Is there a safe way for the driver to comply with Google's Security Health Analytics recommendation?
I guess the service account get associated with the disk or instance when an attach happens.
Digging more deeply into the docs link, it appears the analytics error isn't due to the role in general, but for it being scoped too high.
Maybe instead of adding it as a project scoped role, it needs to be added to the service account (gcloud iam service-accounts add-iam-policy-binding "${IAM_NAME}" --member serviceAccount:"${IAM_NAME}" --role roles/iam.serviceAccountuser
).
Can you try that out and see if it works?
gcloud iam service-accounts add-iam-policy-binding "${IAM_NAME}" --member serviceAccount:"${IAM_NAME}" --role roles/iam.serviceAccountuser
Unfortunately, I got this:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) PERMISSION_DENIED: Permission 'iam.serviceAccounts.setIamPolicy' denied on resource (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: iam.googleapis.com
metadata:
permission: iam.serviceAccounts.setIamPolicy
reason: IAM_PERMISSION_DENIED
Hmm, I don't know if that's a problem with your project permissions or because you can't put that role on a service account. If you try to do it through the UI (console.cloud.google.com) what happens?
Hmm, I don't know if that's a problem with your project permissions or because you can't put that role on a service account. If you try to do it through the UI (console.cloud.google.com) what happens?
I'm not sure if this is the right place, but I went to:
IAM & Admin > Service Accounts > View By Roles > Grant Access
And I see this message in a tooltip:
Required permission(s):
my-sa
iam.serviceAccounts.setIamPolicy
Ah, this must be an issue with project setup. Can you talk with whoever is the admin for your org or project to see if your project can be given roles/iam.serviceAccountAdmin?
@mattcary I just checked and I'm a member of the roles/iam.serviceAccountAdmin
role in my project.
Could you please try with your account to see if you encounter the same issue?
I'm not familiar with GCP IAM roles, but I don't think I'm not lacking any permissions.
Currently, GCP PD CSI driver requires a Service Account that has the
iam.serviceAccountUser
role:https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/blob/eead51bd9029e92e6b6789813ff345f12a04c1a7/docs/kubernetes/user-guides/driver-install.md?plain=1#L21
However, that goes agains Google's Security Health Analytics recommendation:
https://cloud.google.com/security-command-center/docs/how-to-remediate-security-health-analytics-findings#over_privileged_service_account_user
Is it possible to remove this role from the driver's requirements? What would it take to do that?
I looked around this repository but couldn't find the reason this role is required, only this comment that references it: https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/pull/134#issuecomment-431612007