Channels
#flyte-on-gcp
Title
# flyte-on-gcp
a
Ariel Kaspit
06/14/2023, 3:13 PMHey everyone!
I have a question regarding RBAC in Flyte (I know it’s not supported). How do you manage permissions for different domains (development, staging, production)?
f
Fabio Grätz
06/14/2023, 3:20 PMWorkload identities and dedicated gcp + k8s service accounts for the different domains.
This guide is quite helpful
a
Ariel Kaspit
06/14/2023, 3:20 PMI saw that’s v.1.0.0, is it up to date?
Thanks for the answer!
f
Fabio Grätz
06/14/2023, 3:21 PMI can’t say for sure about the entire guide but the workfload identity setup is what we use in production.
Works well.
a
Ariel Kaspit
06/14/2023, 3:22 PMSo you configure this binding somewhere in the chart values?
Copy code
cluster_resource_manager:
config:
cluster_resources:
customData:
- development:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- defaultIamRole:
value: XXX@PROJECT_ID.iam.gserviceaccount.comf
Fabio Grätz
06/14/2023, 3:23 PM Copy code
flytepropeller:
serviceAccount:
create: true
annotations:
# Needed for gcp workload identity to function
# <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: gsa-flytepropeller@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>We have something like this in our helm values for each service
+ creation of gcp service accounts and workload identity binding via terraform.
a
Ariel Kaspit
06/14/2023, 3:24 PMBecause as far as I understand, this is the the access of the services (flyteadmin, flytepropeller etc.)
Not for users logging into Flyte
I totally agreed, this is exactly what I did (even with Terraform)
But I’m trying to give the developer team “admin” access (register and run a workflow) on non-prod domain, but “view-only” for prod domain…
Or you don’t work that way?
f
Fabio Grätz
06/14/2023, 3:52 PMMh no we don’t 😕
5 Views