Open thokra-nav opened 1 year ago
~Won't that break as GKE Workload Identity only works with one project (the cluster project in our case)?~ edit: ok, so this is possible now
We should also move the team SA into team project.
This allows for removal of serviceaccounts
NS.
Another related improvement is to let replicator create the configconnectorcontext
instead of naisd. Naisd would only need to set an annotation for replicator to use during templating
I'm not convinced that this refactor is useful. However, I'm pretty certain that it will cause problems down the line.
Can anyone give a clear explanation of the problem we're trying to solve?
As stated in the original message:
This hides one key resource from the teams, and it doesn't work well with owner references. It might also more easily hit the Service Account quota in the cluster project.
We've had to increase the SA quota in cluster projects already. E.g in nav-dev-gcp
we have a quota of 3000, and currently using 2265.
In a newer tenant project, it seems like there's no limit anymore, so we might be able to get unlimited in nav cluster projects as well to remove that as a reason to do this.
Currently, when an application uses a Google service, a Google service account is created in the
serviceaccounts
namespace.This hides one key resource from the teams, and it doesn't work well with owner references. It might also more easily hit the Service Account quota in the cluster project.
Tested today that cross project workload identity works as expected, it's just in Google Cloud Console that there's an error when referencing a workload identity provider URL and not an email.
So the suggestion is to migrate service accounts from the service accounts namespace and into each team project/namespace.