https://flyte.org logo
#flyte-on-gcp
Title
# flyte-on-gcp
a

Ariel Kaspit

06/14/2023, 3:13 PM
Hey everyone! I have a question regarding RBAC in Flyte (I know it’s not supported). How do you manage permissions for different domains (development, staging, production)?
f

Fabio Grätz

06/14/2023, 3:20 PM
Workload identities and dedicated gcp + k8s service accounts for the different domains.
This guide is quite helpful
a

Ariel Kaspit

06/14/2023, 3:20 PM
I saw that’s v.1.0.0, is it up to date?
Thanks for the answer!
f

Fabio Grätz

06/14/2023, 3:21 PM
I can’t say for sure about the entire guide but the workfload identity setup is what we use in production.
Works well.
a

Ariel Kaspit

06/14/2023, 3:22 PM
So you configure this binding somewhere in the chart values?
Copy code
cluster_resource_manager:
  config:
    cluster_resources:
      customData:
        - development:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - defaultIamRole:
              value: XXX@PROJECT_ID.iam.gserviceaccount.com
f

Fabio Grätz

06/14/2023, 3:23 PM
Copy code
flytepropeller:
  serviceAccount:
    create: true
    annotations:
      # Needed for gcp workload identity to function
      # <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
      <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: gsa-flytepropeller@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
We have something like this in our helm values for each service
+ creation of gcp service accounts and workload identity binding via terraform.
a

Ariel Kaspit

06/14/2023, 3:24 PM
Because as far as I understand, this is the the access of the services (flyteadmin, flytepropeller etc.) Not for users logging into Flyte
I totally agreed, this is exactly what I did (even with Terraform)
But I’m trying to give the developer team “admin” access (register and run a workflow) on non-prod domain, but “view-only” for prod domain…
Or you don’t work that way?
f

Fabio Grätz

06/14/2023, 3:52 PM
Mh no we don’t 😕
5 Views