Make kubeip compatible with Workload Identity
DalianisDim opened this issue · comments
Is your feature request related to a problem? Please describe.
Workload Identity is the recommended way for workloads running on Google Kubernetes Engine (GKE) to access Google Cloud services without a Google Service Account key mounted.
Describe the solution you'd like
Right now, a Google Service Account key should be generated and stored in a Kubernetes secret which is then used by kubeip
. Using Workload Identity no key will be used and kubeip
's Kubernetes service account will be able to impersonate an IAM service account, giving kubeip
the required permissions.
Describe alternatives you've considered
Mounting the Service Account key in JSON format is the only supported method right now
Additional context
- More information about Workload Identity: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
That would be pretty cool
I consider this a must-have. Distributing key files is not something we should need to do today.
I think it already supports it, by virtue of using the Google SDK and its default behaviour.
Just removing the GOOGLE_APPLICATION_CREDENTIALS environment label from the deployment will mean it falls back to the default way of working, which includes going to the Metadata server, which is what Workload Identity relies on.
If so, it's likely just a documentation issue.
EDIT: Confirmed, it works with Workload Identity credentials by just removing the GOOGLE_APPLICATION_CREDENTIALS label.