kops icon indicating copy to clipboard operation
kops copied to clipboard
verified publisher icon kubernetes

Feature - Support GCP IAM Roles for Service Accounts

Open fbozic opened this issue 3 years ago • 4 comments

/kind feature

1. Describe IN DETAIL the feature/behavior/change you would like to see. GCP has support for IAM Roles using K8s service accounts, and I think it would be great if kOps could handle configuring this automatically. GKE Workload Identity docs.

kOps already supports AWS IAM Roles for service accounts docs. Example of kOps cluster spec stanza:

spec:
  serviceAccountIssuerDiscovery:
    discoveryStore: s3://publicly-readable-store
    enableAWSOIDCProvider: true

Ideally, I would define a similar stanza for serviceAccountIssuerDiscovery but with GCP specific values

spec:
  serviceAccountIssuerDiscovery:
    discoveryStore: gs://publicly-readable-store
    enableGCPOIDCProvider: true

I've also found gcp-workload-identity-federation-webhook which does the same things as amazon-eks-pod-identity-webhook. Maybe kOps can add that to addons as well.

FR for AWS IAM Role for Service accounts - https://github.com/kubernetes/kops/issues/8264

2. Feel free to provide a design supporting your feature request.

fbozic avatar Nov 30 '22 14:11 fbozic

/assign @justinsb

hakman avatar Dec 01 '22 08:12 hakman

I'm also interested in this. It's a shame the GKE Workload Identity functionality is not open source - but the https://github.com/pfnet-research/gcp-workload-identity-federation-webhook project looks interesting.

sl1pm4t avatar Oct 10 '23 05:10 sl1pm4t

I submitted a PR to the gcp-workload-identity-federation-webhook project to do the identity injection without an init container.

Also, I opened https://github.com/kubernetes/kops/pull/16050 on this repo to get kOps publishing the Cluster Issuer OIDC documents to GCS.

Next step will be to get kOps to provision the Google Workload Identity Federation pieces, and deploy gcp-workload-identity-federation-webhook as an addon.

EDIT - the gcp-workload-identity-federation-webhook PR has been merged now and available in v0.4.0 release.

sl1pm4t avatar Oct 30 '23 23:10 sl1pm4t

For posterity, I ended up swapping out the gcp-workload-identity-federation-webhook tool for this one: https://github.com/matheuscscp/gke-metadata-server

The latter works in a similar way to the native GKE metadata server, and was better supported for apps we were deploying to our clusters.

mattaerial avatar Apr 11 '24 21:04 mattaerial