From 9fcea1f85557a00a233b01ec219f6564d550c3c6 Mon Sep 17 00:00:00 2001
From: "Yuan (Bob) Gong" <gongyuan94@gmail.com>
Date: Mon, 6 Jul 2020 17:34:50 +0800
Subject: [PATCH] fix(gcp): Use IAMPolicyMember for workload identity bindings
 (#1347)

* fix profile controller iam binding

* rename
---
 .../cnrm/iam/admin-manages-user-policy.yaml   | 13 +++++++
 gcp/v2/cnrm/iam/kf-admin-policy.yaml          | 14 --------
 .../kf-admin-workload-identity-bindings.yaml  | 11 ++++++
 gcp/v2/cnrm/iam/kf-user-policy.yaml           | 16 ---------
 .../kf-user-workload-identity-bindings.yaml   | 35 +++++++++++++++++++
 gcp/v2/cnrm/iam/kustomization.yaml            |  3 ++
 6 files changed, 62 insertions(+), 30 deletions(-)
 create mode 100644 gcp/v2/cnrm/iam/admin-manages-user-policy.yaml
 create mode 100644 gcp/v2/cnrm/iam/kf-admin-workload-identity-bindings.yaml
 create mode 100644 gcp/v2/cnrm/iam/kf-user-workload-identity-bindings.yaml

diff --git a/gcp/v2/cnrm/iam/admin-manages-user-policy.yaml b/gcp/v2/cnrm/iam/admin-manages-user-policy.yaml
new file mode 100644
index 0000000000..7322a3795b
--- /dev/null
+++ b/gcp/v2/cnrm/iam/admin-manages-user-policy.yaml
@@ -0,0 +1,13 @@
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: name-admin-manages-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+spec:
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  # "roles/serviceAccountAdmin" grants kf-admin service account permission to
+  # manage workload identity binding policies for kf-user service account.
+  role: roles/iam.serviceAccountAdmin
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
diff --git a/gcp/v2/cnrm/iam/kf-admin-policy.yaml b/gcp/v2/cnrm/iam/kf-admin-policy.yaml
index 529fbb2cb7..b391e5b9da 100644
--- a/gcp/v2/cnrm/iam/kf-admin-policy.yaml
+++ b/gcp/v2/cnrm/iam/kf-admin-policy.yaml
@@ -165,17 +165,3 @@ spec:
     apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
     kind: Project
     external: projects/project-id # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
----
-apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicy
-metadata:
-  name: name-admin-workload-identity-users # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
-spec:
-  resourceRef:
-    apiVersion: iam.cnrm.cloud.google.com/v1beta1
-    kind: IAMServiceAccount
-    name: name-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
-  bindings:
-  - role: roles/iam.workloadIdentityUser
-    members:
-    - serviceAccount:project-id.svc.id.goog[kubeflow/profiles-controller-service-account] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
diff --git a/gcp/v2/cnrm/iam/kf-admin-workload-identity-bindings.yaml b/gcp/v2/cnrm/iam/kf-admin-workload-identity-bindings.yaml
new file mode 100644
index 0000000000..3817ae1334
--- /dev/null
+++ b/gcp/v2/cnrm/iam/kf-admin-workload-identity-bindings.yaml
@@ -0,0 +1,11 @@
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: name-admin-workload-identity-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+spec:
+  member: serviceAccount:project-id.svc.id.goog[kubeflow/profiles-controller-service-account] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
+  role: roles/iam.workloadIdentityUser
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: name-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
diff --git a/gcp/v2/cnrm/iam/kf-user-policy.yaml b/gcp/v2/cnrm/iam/kf-user-policy.yaml
index ff2f213b45..f89fe4ec1f 100644
--- a/gcp/v2/cnrm/iam/kf-user-policy.yaml
+++ b/gcp/v2/cnrm/iam/kf-user-policy.yaml
@@ -141,19 +141,3 @@ spec:
     apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
     kind: Project
     external: projects/project-id # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
----
-apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicy
-metadata:
-  name: name-user-workload-identity-users # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
-spec:
-  resourceRef:
-    apiVersion: iam.cnrm.cloud.google.com/v1beta1
-    kind: IAMServiceAccount
-    name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
-  bindings:
-  - role: roles/iam.workloadIdentityUser
-    members:
-    - serviceAccount:project-id.svc.id.goog[kubeflow/ml-pipeline-ui] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
-    - serviceAccount:project-id.svc.id.goog[kubeflow/ml-pipeline-visualizationserver] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
-    - serviceAccount:project-id.svc.id.goog[kubeflow/pipeline-runner] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
diff --git a/gcp/v2/cnrm/iam/kf-user-workload-identity-bindings.yaml b/gcp/v2/cnrm/iam/kf-user-workload-identity-bindings.yaml
new file mode 100644
index 0000000000..88e69a7744
--- /dev/null
+++ b/gcp/v2/cnrm/iam/kf-user-workload-identity-bindings.yaml
@@ -0,0 +1,35 @@
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: name-user-workload-identity-user-ml-pipeline-ui # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+spec:
+  member: serviceAccount:project-id.svc.id.goog[kubeflow/ml-pipeline-ui] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
+  role: roles/iam.workloadIdentityUser
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+---
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: name-user-workload-identity-user-ml-pipeline-visualizationserver # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+spec:
+  member: serviceAccount:project-id.svc.id.goog[kubeflow/ml-pipeline-visualizationserver] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
+  role: roles/iam.workloadIdentityUser
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+---
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: name-user-workload-identity-user-pipeline-runner # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
+spec:
+  member: serviceAccount:project-id.svc.id.goog[kubeflow/pipeline-runner] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
+  role: roles/iam.workloadIdentityUser
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
diff --git a/gcp/v2/cnrm/iam/kustomization.yaml b/gcp/v2/cnrm/iam/kustomization.yaml
index 2341a5fded..e01367781e 100644
--- a/gcp/v2/cnrm/iam/kustomization.yaml
+++ b/gcp/v2/cnrm/iam/kustomization.yaml
@@ -5,3 +5,6 @@ resources:
 - kf-admin-sa.yaml
 - kf-user-policy.yaml
 - kf-user-sa.yaml
+- kf-admin-workload-identity-bindings.yaml
+- kf-user-workload-identity-bindings.yaml
+- admin-manages-user-policy.yaml