Skip to content

Latest commit

 

History

History

main_project

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
flow_chart.svg
flow_chart.svg
 
 
main_project.yaml
main_project.yaml
 
 

README.md

Main Project

Analyzed script: ensure-main-project.sh

Table of Content

Flow Chart

Flow Chart for ensure-main-project.sh script

Terraform data sources and resources

Components

  • Project:

    • kubernetes-public

  • API:

    • compute
    • logging
    • monitoring
    • bigquery-json
    • container
    • storage-component
    • oslogin
    • dns

  • GCS Bucket:

    • gs://k8s-infra-clusters-terraform:
      • bucketpolicyonly: true
      • location: us

  • IAM Policy Binding:

  • IAM Role (Project IAM Custom Role):

    • ServiceAccountLister:
      • title: Service Account Lister
      • description: Can list ServiceAccounts.
      • stage: GA
      • permissions:
        • iam.serviceAccounts.list

  • IAM:

  • DNS Managed Zone:

    • k8s-io : k8s.io
    • kubernetes-io : kubernetes.io
    • x-k8s-io : x-k8s.io
    • k8s-e2e-com : k8s-e2e.com
    • canary-k8s-io : canary.k8s.io
    • canary-kubernetes-io : canary.kubernetes.io
    • canary-x-k8s-io : canary.x-k8s.io
    • canary-k8s-e2e-com : canary.k8s-e2e.com

  • Bigquery DataSet:

    [@bartsmykla]: Currently at the end of the script which is provisioning resources for main project there is a comment and mechanism to acknowledging the knowledge about having to log in to the cloud console by human to enable billing export

    • kubernetes_public_billing:
      • access:
        • groupByEmail:[email protected]:
          • READER
          • roles/bigquery.metadataViewer
          • roles/bigquery.user

Yaml representation of ComponentsG1,G2

google_project:
  - name: kubernetes-public
google_project_service:
  - service: compute.googleapis.com
    project: kubernetes-public
  - service: logging.googleapis.com
    project: kubernetes-public
  - service: monitoring.googleapis.com
    project: kubernetes-public
  - service: bigquery-json.googleapis.com
    project: kubernetes-public
  - service: container.googleapis.com
    project: kubernetes-public
  - service: storage-component.googleapis.com
    project: kubernetes-public
  - service: oslogin.googleapis.com
    project: kubernetes-public
  - service: dns.googleapis.com
    project: kubernetes-public
google_storage_bucket:
  - name: k8s-infra-clusters-terraform
    bucket_policy_only: true
    location: us
    project: kubernetes-public
google_dns_managed_zone:
  - name: k8s-io
    dns_name: k8s.io.
    project: kubernetes-public
  - name: kubernetes-io
    dns_name: kubernetes.io.
    project: kubernetes-public
  - name: x-k8s-io
    dns_name: x-k8s.io.
    project: kubernetes-public
  - name: k8s-e2e-com
    dns_name: k8s-e2e.com.
    project: kubernetes-public
  - name: canary-k8s-io
    dns_name: canary.k8s.io.
    project: kubernetes-public
  - name: canary-kubernetes-io
    dns_name: canary.kubernetes.io.
    project: kubernetes-public
  - name: canary-x-k8s-io
    dns_name: canary.x-k8s.io.
    project: kubernetes-public
  - name: canary-k8s-e2e-com
    dns_name: canary.k8s-e2e.com.
    project: kubernetes-public
google_bigquery_dataset:
  - dataset_id: kubernetes_public_billing
    access:
      - role: READER
        group_by_email: [email protected]
      - role: roles/bigquery.metadataViewer
        group_by_email: [email protected]
      - role: roles/bigquery.user
        group_by_email: [email protected]
      # https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination
      - role: roles/bigquery.dataEditor
        # serviceAccount email will be taken from "google_logging_billing_account_sink" resource's
        # attributes reference
        user_by_email: "[google_logging_billing_account_sink.kubernetes_public_billing_sink.writer_identity]"
    delete_contents_on_destroy: false
    project: kubernetes-public
google_logging_billing_account_sink:
# To be able to create/manage this resource, the credentials
# used with Terraform has to have granted IAM role: "roles/logging.configWriter"
# Using this resource swhould remove the need of manual steps which needs to be done:
# https://github.com/kubernetes/k8s.io/blob/e62c18e79a75615d4868afaf5eebcf36bb265df9/infra/gcp/ensure-main-project.sh#L179-L192
  - name: kubernetes_public_billing_sink
    billing_account: 018801-93540E-22A20E
    destination: bigquery.googleapis.com/projects/kubernetes-public/datasets/kubernetes_public_billing
google_project_iam_custom_role:
  - role_id: ServiceAccountLister
    title: Can list ServiceAccounts.
    permissions:
      - iam.serviceAccounts.list
    stage: GA
    project: kubernetes-public
google_project_iam_binding:
  - role: roles/bigquery.admin
    members:
      - group:[email protected]
    project: kubernetes-public
  - role: roles/compute.viewer
    members:
      - group:[email protected]
    project: kubernetes-public
  - role: roles/container.admin
    members:
      - group:[email protected]
    project: kubernetes-public
  - role: roles/container.clusterViewer
    members:
      - group:[email protected]
    project: kubernetes-public
  - role: roles/bigquery.jobUser
    members:
      - group:[email protected]
    project: kubernetes-public
  - role: roles/dns.admin
    members:
      - group:[email protected]
    project: kubernetes-public
  - role: projects/kubernetes-public/roles/ServiceAccountLister
    members:
      - group:[email protected]
    project: kubernetes-public
google_storage_bucket_iam_binding:
  - role: roles/storage.objectAdmin
    members:
      - group:[email protected]
    bucket: gs://k8s-infra-clusters-terraform
  - role: roles/storage.legacyBucketOwner
    members:
      - group:[email protected]
    bucket: gs://k8s-infra-clusters-terraform