2

I create a node-pool under a GKE cluster while using a custom service account. When I created this service account, I did not associate it with any roles.

the Resource (node-pool) itself was created with scope required for logging. but, the service account used does not have policy to log and it still is able to generate logs!

my understanding was that in order for a resource to have enough permissions, it should stratify both:

  • have required scope (or cloud_platform scope)
  • have service account with required policy.

can someone throw some light on? am I missing something? I am fairly new to GCP.

AppleCiderGuy
  • 1,249
  • 1
  • 9
  • 16
  • Can you please elaborate on your question? Are you talking about the Admin logs? When you create or modify a service account, Identity and Access Management (IAM) generates log entries. – Ismael Clemente Aguirre May 19 '22 at 22:47
  • I am rather talking about log entries by the GKE cluster itself. if the service account associated with cluster did not have enough permissions (logging.logEntries.create) then it should have have generate logs. – AppleCiderGuy May 20 '22 at 05:50
  • anyways, I found the answer to this question, I will post it shortly! – AppleCiderGuy May 20 '22 at 05:51

1 Answers1

3

I learned that the ServiceAgent that's associated with a GKE cluster has required permission to generate logs. Thus, the moment logging.write scope is associated with the node_pool within the cluster, it's good to start logging.

Service Agents are nothing but Google-managed service accounts that allow the services to access your resources. These are hidden from the user on and cant be seen on the console, but there are evident in places like resource policies. you can read more about it here

AppleCiderGuy
  • 1,249
  • 1
  • 9
  • 16