k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/build/build_serviceaccounts.yaml

k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/build/build_serviceaccounts.yaml (about)

     1  ---
     2  apiVersion: v1
     3  kind: ServiceAccount
     4  metadata:
     5    annotations:
     6      # Used by container image promotor audit jobs
     7      # TODO(fejta): better define these rules and enforce them in presubmit.
     8      iam.gke.io/gcp-service-account: k8s-infra-gcr-promoter@k8s-gcr-audit-test-prod.iam.gserviceaccount.com
     9    name: k8s-gcr-audit-test-prod
    10    namespace: test-pods
    11  ---
    12  apiVersion: v1
    13  kind: ServiceAccount
    14  metadata:
    15    annotations:
    16      # Used by container image promotor backup test job (pull-k8sio-backup)
    17      iam.gke.io/gcp-service-account: k8s-infra-gcr-promoter@k8s-gcr-backup-test-prod-bak.iam.gserviceaccount.com
    18    name: k8s-infra-gcr-promoter-test
    19    namespace: test-pods
    20  ---
    21  apiVersion: v1
    22  kind: ServiceAccount
    23  metadata:
    24    annotations:
    25      # Used by container image promoter vulnerability scanning presubmit check (pull-k8sio-cip-vuln)
    26      iam.gke.io/gcp-service-account: k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com
    27    name: k8s-infra-gcr-vuln-scanning
    28    namespace: test-pods
    29  ---
    30  apiVersion: v1
    31  kind: ServiceAccount
    32  metadata:
    33    annotations:
    34      # Default prowjob runner for default build cluster. This service account
    35      # doesn't have GCP permission other than writing artifacts into the default
    36      # GCS artifacts location for prow.
    37      # Please creating separate service account for special needs.
    38      iam.gke.io/gcp-service-account: prowjob-default-sa@k8s-prow-builds.iam.gserviceaccount.com
    39    name: prowjob-default-sa
    40    namespace: test-pods
    41  ---
    42  apiVersion: v1
    43  kind: ServiceAccount
    44  metadata:
    45    annotations:
    46      # Used by Kops testing jobs
    47      iam.gke.io/gcp-service-account: pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com
    48    name: k8s-kops-test
    49    namespace: test-pods
    50  ---
    51  kind: ServiceAccount
    52  apiVersion: v1
    53  metadata:
    54    annotations:
    55      iam.gke.io/gcp-service-account: kubernetes-external-secrets-sa@k8s-prow-builds.iam.gserviceaccount.com
    56    name: kubernetes-external-secrets-sa
    57    namespace: default
    58  ---
    59  apiVersion: v1
    60  kind: ServiceAccount
    61  metadata:
    62    annotations:
    63      # Used by the gcp provider tests for secrets-store-csi-driver
    64      iam.gke.io/gcp-service-account: k8s-csi-test@secretmanager-csi-build.iam.gserviceaccount.com
    65    name: secrets-store-csi-driver-gcp
    66    namespace: test-pods
    67  ---
    68  apiVersion: v1
    69  kind: ServiceAccount
    70  metadata:
    71    annotations:
    72      # Used by the metrics-kettle job. (Note that for some reason this job uses the triage SA not the kettle SA.)
    73      iam.gke.io/gcp-service-account: triage@k8s-gubernator.iam.gserviceaccount.com
    74    name: triage
    75    namespace: test-pods
    76  ---
    77  apiVersion: v1
    78  kind: ServiceAccount
    79  metadata:
    80    annotations:
    81      # TODO(mpherman): Clean this up once done testing clusterfuzzlite integration
    82      # Used by the test-infra-fuzz job.
    83      iam.gke.io/gcp-service-account: test-fuzz-sa@colew-test.iam.gserviceaccount.com
    84    name: fuzz-test
    85    namespace: test-pods