Hey everyone! I have a question regarding RBAC in ...
# flyte-on-gcp
a
Hey everyone! I have a question regarding RBAC in Flyte (I know it’s not supported). How do you manage permissions for different domains (development, staging, production)?
f
Workload identities and dedicated gcp + k8s service accounts for the different domains.
This guide is quite helpful
a
I saw that’s v.1.0.0, is it up to date?
Thanks for the answer!
f
I can’t say for sure about the entire guide but the workfload identity setup is what we use in production.
Works well.
a
So you configure this binding somewhere in the chart values?
Copy code
cluster_resource_manager:
  config:
    cluster_resources:
      customData:
        - development:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - defaultIamRole:
              value: XXX@PROJECT_ID.iam.gserviceaccount.com
f
Copy code
flytepropeller:
  serviceAccount:
    create: true
    annotations:
      # Needed for gcp workload identity to function
      # <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
      <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: gsa-flytepropeller@{{ .Values.userSettings.googleProjectId }}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
We have something like this in our helm values for each service
+ creation of gcp service accounts and workload identity binding via terraform.
a
Because as far as I understand, this is the the access of the services (flyteadmin, flytepropeller etc.) Not for users logging into Flyte
I totally agreed, this is exactly what I did (even with Terraform)
But I’m trying to give the developer team “admin” access (register and run a workflow) on non-prod domain, but “view-only” for prod domain…
Or you don’t work that way?
f
Mh no we don’t 😕
101 Views