Open paultiplady opened 7 years ago
Raffo
commented
7 years ago I'm not entirely sure about the details of this, this is why I add @linki who'll be able to answer clearly. Also, we actually used this with GKE (Container Engine) and not with a custom installation of GCE. We're definitely looking forward to make it usable in all the Google Cloud environments.
paultiplady
commented
7 years ago Thanks! I'm running in GKE too -- as far as I'm aware the GKE default service account is the GCE node's service account, which default's to the GCP project's default service account. I could be mistaken on that though.
linki
commented
7 years ago @paultiplady You're right, by default mate assumes the service account permissions of the nodes which is based on the default service account by default, afaik. However, you can mount a secret containing the service account credentials json and it will use the corresponding service account.
I documented the different options for GCP and AWS over at https://github.com/zalando-incubator/mate/pull/43.
Small disclaimer: mounting the credentials file is currently untested with mate but it works fine on some of our other projects.
paultiplady
commented
7 years ago :+1: thanks for the info, this will work well for my usecase then.
I'm getting the following error while running mate v0.3.0 in GCE:
I'm sure this is because the Service Account being used doesn't have permissions on Google Cloud DNS.
How is mate assuming that the Service accounts have been configured? Does the default node service account have to have the DNS permissions added? A few words in the docs on configuring this would be helpful.
'm hoping there's a better way than just adding the permissions to the project-wide service account, which isn't viable in a production cluster (but would still be viable in a test/build cluster). Other similar projects (e.g. https://github.com/PalmStoneGames/kube-cert-manager/) read a service account JSON blob from a mounted volume, which seems to be a good general approach.