I create a node-pool under a GKE cluster while using a custom service account. When I created this service account, I did not associate it with any roles.
the Resource (node-pool) itself was created with scope required for logging. but, the service account used does not have policy to log and it still is able to generate logs!
my understanding was that in order for a resource to have enough permissions, it should stratify both:
can someone throw some light on? am I missing something? I am fairly new to GCP.
I learned that the ServiceAgent that's associated with a GKE cluster has required permission to generate logs. Thus, the moment logging.write scope is associated with the node_pool within the cluster, it's good to start logging.
Service Agents are nothing but Google-managed service accounts that allow the services to access your resources. These are hidden from the user on and cant be seen on the console, but there are evident in places like resource policies. you can read more about it here