Enable workload identity

Question

Enable workload identity

wwwil opened this issue 5 years ago · comments

William Squires commented 5 years ago

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

tisc0 · Answer 1 · Mon Oct 28 2019 08:48:19 GMT+0800 (China Standard Time)

Hi,
Actually, Terraform propose already :

to switch on "workload identity" for cluster

workload_identity_config {
    identity_namespace = "${var.google_project}.svc.id.goog"

to switch on "workload identity" for node pool
https://www.terraform.io/docs/providers/google/r/container_cluster.html#workload_identity_config

    workload_metadata_config {
      node_metadata = "GKE_METADATA_SERVER"

What's missing is bilateral binding between Kube's Service Accounts and GCP IAM Service Accounts.

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:[PROJECT_ID].svc.id.goog[default/default]" \
  [GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

Do you think your module covers this scope ?

Thanks

ahmed1smael · Answer 2 · Fri Dec 13 2019 00:48:08 GMT+0800 (China Standard Time)

is there an update here? does anybody know how to bind GSA to KSA with terraform?

nikhilbalekundargi · Answer 3 · Fri Dec 20 2019 16:32:38 GMT+0800 (China Standard Time)

For binding we can use google_service_account_iam_binding resource and for annotation there is no terraform resource. I have used null resource.

#Binding google service account and K8s service account

resource "google_service_account_iam_binding" "gsa_ksa_binding" {
  service_account_id = "projects/${var.project}/serviceAccounts/${var.gke_sa_email}" 
  role               = "roles/iam.workloadIdentityUser"

  members = [
    "serviceAccount:${var.project}.svc.id.goog[flux/flux]",
    "serviceAccount:${var.project}.svc.id.goog[flux/default]",
  ]
}

#annotating k8s service account

resource "null_resource" "annotate_ksa" {
  triggers = {
    cluster_ep = "${google_container_cluster.gke_cluster.endpoint}"  #kubernetes cluster endpoint
  }

  provisioner "local-exec" {
    command = <<EOT
        gcloud container clusters get-credentials $${K8S_CLUSTER} --zone $${K8S_ZONE} --project $${K8S_PROJECT}
        kubectl annotate serviceaccount --namespace flux flux iam.gke.io/gcp-service-account=$${GCP_SA_EMAIL}
        kubectl annotate serviceaccount --namespace flux default iam.gke.io/gcp-service-account=$${GCP_SA_EMAIL}
    EOT

    environment = {
     GCP_SA_EMAIL    = "${var.gke_sa_email}"
     K8S_CLUSTER    = "${google_container_cluster.gke_cluster.name}"
     K8S_ZONE       = "${var.location}"
     K8S_PROJECT    = "${var.project}"
    }
  }  
  depends_on = ["google_service_account_iam_binding.gsa_ksa_binding"]
}

#var.project=project id
var.gke_sa_email= Google service account email.

repo-lockdown · Answer 4 · Thu Sep 03 2020 23:00:38 GMT+0800 (China Standard Time)

This project is now deprecated so we aren't accepting any further changes.

Enable workload identity

#var.project=project id var.gke_sa_email= Google service account email.

#var.project=project id
var.gke_sa_email= Google service account email.