From b308cecbb757ab5d6f0f3a48919b83873e917308 Mon Sep 17 00:00:00 2001 From: Rachael Tamakloe Date: Thu, 16 Jan 2025 22:41:10 +0000 Subject: [PATCH] Adding note to Private Service Access module --- community/examples/hpc-slurm-gromacs.yaml | 6 ++++++ community/examples/hpc-slurm-local-ssd.yaml | 6 ++++++ community/examples/hpc-slurm-ubuntu2004.yaml | 6 ++++++ community/examples/htc-slurm.yaml | 6 ++++++ community/modules/network/private-service-access/README.md | 3 +++ examples/gke-managed-parallelstore.yaml | 6 +++++- examples/hcls-blueprint.yaml | 6 ++++++ examples/hpc-enterprise-slurm.yaml | 6 ++++++ examples/hpc-slurm.yaml | 6 ++++++ .../machine-learning/a3-megagpu-8g/slurm-a3mega-base.yaml | 7 +++++++ examples/ml-slurm.yaml | 6 ++++++ examples/pfs-parallelstore.yaml | 4 ++++ examples/ps-slurm.yaml | 4 ++++ modules/file-system/gke-storage/README.md | 4 ++++ modules/file-system/parallelstore/README.md | 4 ++++ 15 files changed, 79 insertions(+), 1 deletion(-) diff --git a/community/examples/hpc-slurm-gromacs.yaml b/community/examples/hpc-slurm-gromacs.yaml index 5627929414..a6ea2ebce0 100644 --- a/community/examples/hpc-slurm-gromacs.yaml +++ b/community/examples/hpc-slurm-gromacs.yaml @@ -31,6 +31,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/community/examples/hpc-slurm-local-ssd.yaml b/community/examples/hpc-slurm-local-ssd.yaml index aeaac6a515..7e9acd4bda 100644 --- a/community/examples/hpc-slurm-local-ssd.yaml +++ b/community/examples/hpc-slurm-local-ssd.yaml @@ -31,6 +31,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/community/examples/hpc-slurm-ubuntu2004.yaml b/community/examples/hpc-slurm-ubuntu2004.yaml index 271afd9a82..d4d0a5dae4 100644 --- a/community/examples/hpc-slurm-ubuntu2004.yaml +++ b/community/examples/hpc-slurm-ubuntu2004.yaml @@ -36,6 +36,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/community/examples/htc-slurm.yaml b/community/examples/htc-slurm.yaml index bea2b0e51c..4fef4d3aec 100644 --- a/community/examples/htc-slurm.yaml +++ b/community/examples/htc-slurm.yaml @@ -45,6 +45,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/community/modules/network/private-service-access/README.md b/community/modules/network/private-service-access/README.md index 82cb34a429..476f97cefd 100644 --- a/community/modules/network/private-service-access/README.md +++ b/community/modules/network/private-service-access/README.md @@ -23,6 +23,9 @@ It will automatically perform the following steps, as described in the - source: modules/network/vpc id: network + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - source: community/modules/network/private-service-access id: ps_connect use: [network] diff --git a/examples/gke-managed-parallelstore.yaml b/examples/gke-managed-parallelstore.yaml index 6f292e0bb6..b48965c979 100644 --- a/examples/gke-managed-parallelstore.yaml +++ b/examples/gke-managed-parallelstore.yaml @@ -38,7 +38,11 @@ deployment_groups: - range_name: services ip_cidr_range: 10.0.32.0/20 - - id: private_service_access # required for parallelstore + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is required for all Parallelstore functionality. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions + - id: private_service_access source: community/modules/network/private-service-access use: [network] settings: diff --git a/examples/hcls-blueprint.yaml b/examples/hcls-blueprint.yaml index a6c128d9b5..97e75adf25 100644 --- a/examples/hcls-blueprint.yaml +++ b/examples/hcls-blueprint.yaml @@ -53,6 +53,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/examples/hpc-enterprise-slurm.yaml b/examples/hpc-enterprise-slurm.yaml index 86ba80aa83..921cbf1921 100644 --- a/examples/hpc-enterprise-slurm.yaml +++ b/examples/hpc-enterprise-slurm.yaml @@ -51,6 +51,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/examples/hpc-slurm.yaml b/examples/hpc-slurm.yaml index 8435a766c1..e381f1a9c0 100644 --- a/examples/hpc-slurm.yaml +++ b/examples/hpc-slurm.yaml @@ -33,6 +33,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/examples/machine-learning/a3-megagpu-8g/slurm-a3mega-base.yaml b/examples/machine-learning/a3-megagpu-8g/slurm-a3mega-base.yaml index 8b29e8f523..b4ec9f4b33 100644 --- a/examples/machine-learning/a3-megagpu-8g/slurm-a3mega-base.yaml +++ b/examples/machine-learning/a3-megagpu-8g/slurm-a3mega-base.yaml @@ -40,6 +40,13 @@ deployment_groups: outputs: - network_name - subnetwork_name + + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: diff --git a/examples/ml-slurm.yaml b/examples/ml-slurm.yaml index 6064a13113..07df8b8a29 100644 --- a/examples/ml-slurm.yaml +++ b/examples/ml-slurm.yaml @@ -46,6 +46,12 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is a best practice for Filestore instances, but can be optionally + # removed by deleting the private_service_access module and any references to + # the module by Filestore modules. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/examples/pfs-parallelstore.yaml b/examples/pfs-parallelstore.yaml index 1858556212..001cec6923 100644 --- a/examples/pfs-parallelstore.yaml +++ b/examples/pfs-parallelstore.yaml @@ -31,6 +31,10 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is required for all Parallelstore functionality. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/examples/ps-slurm.yaml b/examples/ps-slurm.yaml index f139aa7b3c..b646356522 100644 --- a/examples/ps-slurm.yaml +++ b/examples/ps-slurm.yaml @@ -39,6 +39,10 @@ deployment_groups: - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is required for all Parallelstore functionality. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/modules/file-system/gke-storage/README.md b/modules/file-system/gke-storage/README.md index 9d7a2fb428..f565bbf95f 100644 --- a/modules/file-system/gke-storage/README.md +++ b/modules/file-system/gke-storage/README.md @@ -15,6 +15,10 @@ then use them in a `gke-job-template` to dynamically provision the resource. settings: enable_parallelstore_csi: true + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is required for all Parallelstore functionality. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network] diff --git a/modules/file-system/parallelstore/README.md b/modules/file-system/parallelstore/README.md index 9b0595c965..0b942f067f 100644 --- a/modules/file-system/parallelstore/README.md +++ b/modules/file-system/parallelstore/README.md @@ -40,6 +40,10 @@ for this newly created network. - id: network source: modules/network/vpc + # Private Service Access (PSA) requires the compute.networkAdmin role which is + # included in the Owner role, but not Editor. + # PSA is required for all Parallelstore functionality. + # https://cloud.google.com/vpc/docs/configure-private-services-access#permissions - id: private_service_access source: community/modules/network/private-service-access use: [network]