|
|
|
|
|
|
by azurezyq
1112 days ago
|
|
|
I was part of GCP Cloud Dataflow team a few years ago. The status page is actually the standard for all google internal services (/statusz). I still miss them much. In dataflow's case, container is not treated as the boundary. And there are several important things to note: - Dataflow's VMs are in customer projects, so there's no risk of cross-tenant access. - When launching dataflow jobs, the launcher identity is checked to have iam.serviceAccountUser IAM role, which means that the identity should be able to launch a VM with the same service account just fine. So dataflow is not escalating the permission beyond GCE VMs. - Just as VM launched by someone, if anyone else can log onto those VMs are controlled separately. - Container is used in dataflow only for convenient image delivery, not for a security barrier. VM is. |
|
|