GCP: ensure prow-build can administer KMS keys

kubernetes / k8s.io

Code and configuration to manage Kubernetes project infrastructure, including various *.k8s.io sites

https://git.k8s.io/community/sig-k8s-infra

Apache License 2.0

690 stars 782 forks source link

GCP: ensure prow-build can administer KMS keys #6924

Open pwschuurman opened 2 days ago

pwschuurman commented 2 days ago

Ensure the prow-build SA use KMS keys. PDCSI e2e tests use the prow-build SA by default to authenticate against the cloudkms API.

See https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_gcp-compute-persistent-disk-csi-driver/1762/pull-gcp-compute-persistent-disk-csi-driver-e2e/1806716408805986304

This is analogous to the existing cluster IAM model, where pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com had roles/cloudkms.admin permission.

pwschuurman commented 2 days ago

/assign @BenTheElder

k8s-ci-robot commented 2 days ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pwschuurman Once this PR has been reviewed and has the lgtm label, please ask for approval from bentheelder. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[infra/gcp/bash/prow/OWNERS](https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/bash/prow/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment