Skip to content

Project setup script authorizes GCE to use Cloud KMS keys on the dev project. #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 25, 2020
Merged

Project setup script authorizes GCE to use Cloud KMS keys on the dev project. #590

merged 1 commit into from
Aug 25, 2020

Conversation

jeremyje
Copy link
Contributor

…project.

What type of PR is this?
/kind feature

What this PR does / why we need it:
The project setup script will now run gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com" --role "roles/cloudkms.cryptoKeyEncrypterDecrypter".

This is important because it authorizes GCE to use Cloud KMS encryption keys. Without this grant usage to Cloud KMS will be blocked and tests will fail with,

Should create CMEK key, go through volume lifecycle, validate behavior on key revoke and restore [It]
  /usr/local/google/home/jeremyedwards/github/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/test/e2e/tests/single_zone_e2e_test.go:347

  CreateVolume failed with error: rpc error: code = Internal desc = CreateVolume failed to create single zonal disk "gcepd-csi-e2e-abfae45e-d0af-4cd7-a996-8b5e74089a2e": failed to insert zonal disk: unknown Insert disk error: googleapi: Error 400: Cloud KMS error when using key projects/REDACTED/locations/global/keyRings/gce-pd-csi-test-ring/cryptoKeys/test-key-99db27e5-88e7-47c5-a1f8-4b7e4cebce88: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/REDACTED/locations/global/keyRings/gce-pd-csi-test-ring/cryptoKeys/test-key-99db27e5-88e7-47c5-a1f8-4b7e4cebce88' (or it may not exist)., kmsPermissionDenied
  Expected
      <*status.statusError | 0xc0000bb040>: {
          Code: 13,
          Message: "CreateVolume failed to create single zonal disk \"gcepd-csi-e2e-abfae45e-d0af-4cd7-a996-8b5e74089a2e\": failed to insert zonal disk: unknown Insert disk error: googleapi: Error 400: Cloud KMS error when using key projects/REDACTED/locations/global/keyRings/gce-pd-csi-test-ring/cryptoKeys/test-key-99db27e5-88e7-47c5-a1f8-4b7e4cebce88: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/REDACTED/locations/global/keyRings/gce-pd-csi-test-ring/cryptoKeys/test-key-99db27e5-88e7-47c5-a1f8-4b7e4cebce88' (or it may not exist)., kmsPermissionDenied",
          Details: nil,
          XXX_NoUnkeyedLiteral: {},
          XXX_unrecognized: nil,
          XXX_sizecache: 0,
      }
  to be nil

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 24, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @jeremyje. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Aug 24, 2020
@jeremyje jeremyje changed the title Project setup script authorizes GCE to use Cloud KMS keys on the dev … Project setup script authorizes GCE to use Cloud KMS keys on the dev project. Aug 24, 2020
@mattcary
Copy link
Contributor

/assign mattcary
/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 24, 2020
@mattcary
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 24, 2020
jingxu97
jingxu97 reviewed Aug 24, 2020
View reviewed changes
deploy/setup-project.sh
# Authorize GCE to encrypt/decrypt using Cloud KMS encryption keys.
# https://cloud.google.com/compute/docs/disks/customer-managed-encryption#before_you_begin
gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com" --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this script is for user to set up their cluster, if they do not use cmek feature, this part is not needed.
Is it better to give an option? If user enable this option, then set it up?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not a bad point. My thought was that it's better to have this stuff on by default as, eg for testing it makes everything more consistent.

But maybe we don't want to add policy bindings by default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a parameter called ENABLE_KMS.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

I think it's good to have to explicitly specify KMS, that's better than having a default that won't be noticed until it's too late.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 24, 2020
@jeremyje
Copy link
Contributor Author

Is there anything remaining in order to get approval?

@mattcary
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jeremyje, mattcary

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 25, 2020
@k8s-ci-robot k8s-ci-robot merged commit 3e01ff5 into kubernetes-sigs:master Aug 25, 2020
@jeremyje jeremyje deleted the setup branch August 25, 2020 18:03
@jeremyje jeremyje mentioned this pull request Dec 1, 2020
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jingxu97 jingxu97 jingxu97 left review comments

@mattcary mattcary mattcary left review comments

@saikat-royc saikat-royc Awaiting requested review from saikat-royc

Assignees

@mattcary mattcary

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jeremyje @k8s-ci-robot @mattcary @jingxu97