Binding Service Accounts to GCP Kubernetes Engine for ML

Question

Pulumi · Accepted Answer

To bind service accounts to a Google Kubernetes Engine (GKE) cluster on Google Cloud Platform (GCP) for the purpose of Machine Learning (ML) tasks, you will generally need to perform a few steps:

1. **Create a service account** on GCP that your applications in GKE will use for accessing GCP resources.
2. **Assign required roles** to the service account to grant necessary permissions for your ML tasks.
3. **Create IAM policy bindings** that bind these roles to the service account.
4. **Add the service account to your GKE workloads** so that pods can use this service account to interact with GCP services.

Below is a Pulumi program written in Python that sets up a service account, binds the appropriate roles to it, and prepares it for use in a GKE cluster for ML workloads.

The roles to be granted will depend on the specific ML tasks. For illustration, let's assume you need access to Cloud Storage and AI Platform. Adjust the roles accordingly based on your exact needs.

```python
import pulumi
import pulumi_gcp as gcp

# This is the project ID of the Google Cloud Project
project_id = 'your-gcp-project-id'

# Step 1: Create a new GCP service account for your ML workloads.
ml_service_account = gcp.serviceaccount.Account("ml-service-account",
    account_id="ml-service-account",
    display_name="ML Service Account",
    project=project_id)

# Step 2: Assign roles. We are adding Storage Object Admin and AI Platform User for example purposes.
# Note: The roles should be updated according to the specific access needs of your ML tasks.

# Bind the Storage Object Admin role to the service account.
storage_object_admin_binding = gcp.projects.IAMBinding("storage-object-admin-binding",
    members=[pulumi.Output.concat("serviceAccount:", ml_service_account.email)],
    role="roles/storage.objectAdmin",
    project=project_id)

# Bind the AI Platform User role to the service account.
ai_platform_user_binding = gcp.projects.IAMBinding("ai-platform-user-binding",
    members=[pulumi.Output.concat("serviceAccount:", ml_service_account.email)],
    role="roles/aiplatform.user",
    project=project_id)

# Export the service account email so it can be easy to integrate with other parts of the system.
pulumi.export("ml_service_account_email", ml_service_account.email)
```

Here's a breakdown of what the above code does:

- **Creates a service account** (`ml-service-account`) for ML workloads with the help of the `gcp.serviceaccount.Account` class. This service account can be used by applications running within the GKE cluster to interact with other GCP resources.

- **Binds IAM roles** to the created service account. This is done through the `gcp.projects.IAMBinding` resource. In the example program, two roles are assigned:

- `roles/storage.objectAdmin`: Grants full control over GCP Cloud Storage objects which might be required for storing datasets and ML models.
  
  - `roles/aiplatform.user`: Grants permissions to access AI Platform resources, which is commonly used for various ML tasks on GCP.

- **Exports the service account email address** as an output of the Pulumi program so it can be referenced or provided to Kubernetes workloads as needed.

Keep in mind that role assignments should follow the principle of least privilege. Only grant the permissions necessary for your tasks to avoid potential security issues.

You would then proceed to incorporate this service account into your Kubernetes workloads by referencing its email in the Kubernetes `ServiceAccount` resource and annotating it appropriately, or by using workload identity features in GKE. This step isn't covered here as it's Kubernetes-specific rather than related to Pulumi's infrastructure-as-code capabilities for GCP resources.