I am attempting to add a GCP service account Y that has access to a specific storage bucket named 'security-keychain'. I'm trying to figure out what config or changes are necessary to make my current project capable of accessing said service account and then the bucket.
I did look over https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ but didn't feel like it provided much insight.
Here are my current GCP Kubernetes config for this project. My project will be a nginx reverse proxy, in case you're wondering, and the bucket has access to all the SSL certificates and keys I need.
deployment.yml
apiVersion: extensions/v1
kind: Deployment
metadata:
labels:
run: my-project
name: my-project
spec:
replicas: 4
selector:
matchLabels:
run: my-project
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: my-project
spec:
containers:
- image: gcr.io/my-company/my-project
imagePullPolicy: Always
name: my-project
resources:
limits:
cpu: "800m"
memory: 4Gi
requests:
cpu: "500m"
memory: 2Gi
ports:
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
securityContext:
capabilities: {}
privileged: true
capabilities:
add:
- SYS_ADMIN
lifecycle:
postStart:
exec:
command: ["gcsfuse", "-o", "nonempty", "security-keychain", "/mnt/security-keychain"]
preStop:
exec:
command: ["fusermount", "-u", "/mnt/security-keychain"]service.yml
apiVersion: v1
kind: Service
metadata:
name: my-project-service # service name
spec:
type: LoadBalancer # gives your app a public IP so the outside world can get to it
loadBalancerIP: 99.99.99.99 # declared in VPC Networks > External IP Addresses in GCP Console
ports:
- port: 80 # port the service listens on
targetPort: 80 # port the app listens on
protocol: TCP
name: http
- port: 443 # port the service listens on
targetPort: 443 # port the app listens on
protocol: TCP
name: https
selector:
run: my-project