Comments (9)
sonots
commented on May 28, 2024
I've resolved by myself. It is yet beta feature, but I could remove public access referring this.
https://cloud.google.com/functions/docs/securing/managing-access
gcloud beta functions remove-iam-policy-binding FUNCTION_NAME \
--member="allUsers" \
--role="roles/cloudfunctions.invoker"
from berglas.
sonots
commented on May 28, 2024
I could remove public access, but I could not figure out which permission I should allow from GKE master node.
I am not attaching (although should attach) a service account to GKE cluster, so google compute engine default service account should be attached at GKE cluster, but
gcloud beta functions add-iam-policy-binding FUNCTION_NAME \
--member="google_compute_engine_default_service_account" \
--role="roles/cloudfunctions.invoker"
did not work.
from berglas.
sethvargo
commented on May 28, 2024
roles/cloudfunctions.invoker is the correct IAM permission, so I'm a little bit confused. Are you sure your GKE cluster is running with the default service account? The service account should be in the format:
gcloud beta functions add-iam-policy-binding FUNCTION_NAME \
--member="[email protected]" \
--role="roles/cloudfunctions.invoker"
Where 12345678908 is the project number.
from berglas.
sonots
commented on May 28, 2024
Yes, it is what I tried.
from berglas.
sethvargo
commented on May 28, 2024
Hi @sonots
And you're sure your cluster is using the default compute service account and not a custom one? If so, I"m not entirely sure. I just tested this on a new cluster with the default service account and invoker permissions and it's working.
from berglas.
sonots
commented on May 28, 2024
I am pretty sure I am using the default one.
Hmm, let me try again.
from berglas.
sonots
commented on May 28, 2024
It looked berglas works well for deployments, but does not work well for daemonsets berglas does not work for both deployments and daemonsets when I changed iam polocy bindings.
+ gcloud beta functions remove-iam-policy-binding berglas-secrets-webhook --project xxxxxxxxxx --region asia-northeast1 --member=allUsers --role=roles/cloudfunctions.invoker
etag: BwWNxL23a8c=
version: 1
+ gcloud beta functions add-iam-policy-binding berglas-secrets-webhook --project xxxxxxxxxx --region asia-northeast1 --member=serviceAccount:[email protected] --role=roles/cloudfunctions.invoker
bindings:
- members:
- serviceAccount:[email protected]
role: roles/cloudfunctions.invoker
etag: BwWNxL3Pw9E=
version: 1
$ kubectl get pod
datadog-agent-x95jz 1/1 Running 2 119s 172.20.1.4 gke-image-search-dev-cluste-api-pool4-ef1eb5aa-rv9s <none> <none>
datadog-agent-x95jz 0/1 CrashLoopBackOff 5 4m33s 172.20.1.4 gke-image-search-dev-cluste-api-pool4-ef1eb5aa-rv9s <none> <none>
kubectl describe pod shows that InitContainer with copy-berglas-bin is not added.
$ kubectl describe pod datadog-agent-x95jz
[omit]
Controlled By: DaemonSet/datadog-agent
Containers:
datadog-agent:
Container ID: docker://fdbf2023cb10194b98fcea9fd856ba14604baa0de9ec481340145d020b76c580
Image: datadog/agent:latest
[omit]
It worked well before modifying permissions #37
$ kubectl describe pod datadog-agent-s9k6s
[omit]
Controlled By: DaemonSet/datadog-agent
Init Containers:
copy-berglas-bin:
Container ID: docker://a203b6a3e041df40e333de68ad8f3c578c00d2beadfd59ecc6229c48860648c6
Image: gcr.io/berglas/berglas:latest
Image ID: docker-pullable://gcr.io/berglas/berglas@sha256:07372fe0209b5f041eb1374c4f3e7db53fb294fbcf21cc032b9bc25ca50c5f8b
Port: <none>
Host Port: <none>
Command:
sh
-c
cp /bin/berglas /berglas/bin/
State: Terminated
Reason: Completed
Exit Code: 0
Started: Mon, 15 Jul 2019 20:39:58 +0900
Finished: Mon, 15 Jul 2019 20:39:58 +0900
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/berglas/bin/ from berglas-bin (rw)
Containers:
datadog-agent:
Container ID: docker://8aac780996413e862647f314d9d45bf19f070a9b04d0b06538ea0f5c748c32c3
Image: datadog/agent:latest
[omit]
from berglas.
sonots
commented on May 28, 2024
If you know how to debug MutatingWebhookConfiguration, please let me know.
from berglas.
stale
commented on May 28, 2024
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from berglas.
Related Issues (20)
- Change berglas exec to use sys.Exec? HOT 6
- [removed] HOT 1
- Downloaded binary is sometimes broken. HOT 6
- berglas: cannot execute binary file: Exec format error HOT 1
- Checksum in sum.golang.org is different from download without proxy/checksum database (GOPRIVATE=*) HOT 7
- Unable to use the mutation webhook method with kubernetes 1.21.5 and admissionregistration.k8s.io/v1 on GKE HOT 11
- Download berglas seems to be broken with exec format error: HOT 1
- Berglas interacts badly with tools that rely on process wrapping like Argo-workflows HOT 3
- About the latest release HOT 2
- 1.0.0 image breaks kubernetes integration HOT 6
- New version not published to https://storage.googleapis.com/berglas HOT 1
- using secret account credentials.json instead of workflow identity HOT 1
- CrashLoopBackOff when setting command in my deployments HOT 2
- version only shows as "source" if i go install HOT 3
- I would like a new release. HOT 1
- Setting KMS key location for golang library
- Mutating webhook does not run if secrets are only set through a configMap
- Multiple CVEs in docker image HOT 4
- Please provide new release with newest go version HOT 3
- Support rich JSON secrets
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from berglas.