using user-gcp-sa creds for a pipeline step appears to prevent creating cluster resources from that pod

[amygdala]

It looks like any pipeline step pod that needs to create a new service, deployment, etc. will throw a permissions error that the kf 'user' account (<deployment_name>-user@) doesn't have the rights to do "container.services.create", "container.deployments.create", etc.) if the pod is using gcp auth via the .apply(gcp.use_gcp_secret('user-gcp-sa')) call for that step when the pipeline is defined. Without the gcp creds attached, it can create the service successfully.

Adding the "Kubernetes Engine Admin" role to that kf user account fixes the issue.
I guess that might mean that the gcp creds in this case are less permissive than the non-gcp-credentials state?
I'd argue that use of the gcp creds shouldn't prevent creating new cluster resources.

(This may be more a core kf issue... feel free to re-categorize)

[paveldournov]

Thanks for reporting, @amygdala, this is good suggestion.

@Ark-kun - PTAL, should we be adding the K8s admin to the gcp-sa account automatically?

[amygdala]

One 'gotcha' scenario if we don't do this: I could see people wanting to just blanket apply
.apply(gcp.use_gcp_secret('user-gcp-sa'))
to all their pipeline steps when they know the pipeline is running on GKE, but any step which tries to launch a tf-serving pod (etc.) will then fail.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.