syz-cluster: use a separate service account for DB mgmt

This will let us use more granular IAM permissions.
author: Aleksandr Nogikh <nogikh@google.com> 2025-02-27 23:01:21 +0100
committer: Aleksandr Nogikh <nogikh@google.com> 2025-03-05 13:15:16 +0000
commit: be374c06ecebf589c1dddf1a7faf5eaf894123bc (patch)
tree: 4be1975bb538da6c2329b2867e7a4934eb188f57
parent: cccdbe1364d462d1e712dcf2dd98647749a66d36 (diff)
2 files changed, 9 insertions, 1 deletions
diff --git a/syz-cluster/db-mgmt/migrate-job.yaml b/syz-cluster/db-mgmt/migrate-job.yaml
index 9eee8e1cf..d77ea1620 100644
--- a/syz-cluster/db-mgmt/migrate-job.yaml
+++ b/syz-cluster/db-mgmt/migrate-job.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   template:
     spec:
-      serviceAccountName: gke-service-ksa
+      serviceAccountName: gke-db-admin-ksa
       containers:
       - name: migrate
         image: ${IMAGE_PREFIX}db-mgmt:${IMAGE_TAG}
diff --git a/syz-cluster/overlays/minikube/service-accounts.yaml b/syz-cluster/overlays/minikube/service-accounts.yaml
index bcec70c6c..40854fd3c 100644
--- a/syz-cluster/overlays/minikube/service-accounts.yaml
+++ b/syz-cluster/overlays/minikube/service-accounts.yaml
@@ -22,3 +22,11 @@ kind: ServiceAccount
 metadata:
   name: argo-controller-ksa
   namespace: argo
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gke-db-admin-ksa
+  namespace: default
author	Aleksandr Nogikh <nogikh@google.com>	2025-02-27 23:01:21 +0100
committer	Aleksandr Nogikh <nogikh@google.com>	2025-03-05 13:15:16 +0000
commit	be374c06ecebf589c1dddf1a7faf5eaf894123bc (patch)
tree	4be1975bb538da6c2329b2867e7a4934eb188f57
parent	cccdbe1364d462d1e712dcf2dd98647749a66d36 (diff)