Closed wwwil closed 4 years ago
Hi, Actually, Terraform propose already :
to switch on "workload identity" for cluster
workload_identity_config {
identity_namespace = "${var.google_project}.svc.id.goog"
to switch on "workload identity" for node pool https://www.terraform.io/docs/providers/google/r/container_cluster.html#workload_identity_config
workload_metadata_config {
node_metadata = "GKE_METADATA_SERVER"
What's missing is bilateral binding between Kube's Service Accounts and GCP IAM Service Accounts.
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:[PROJECT_ID].svc.id.goog[default/default]" \
[GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
Do you think your module covers this scope ?
Thanks
is there an update here? does anybody know how to bind GSA to KSA with terraform?
For binding we can use google_service_account_iam_binding resource and for annotation there is no terraform resource. I have used null resource.
resource "google_service_account_iam_binding" "gsa_ksa_binding" {
service_account_id = "projects/${var.project}/serviceAccounts/${var.gke_sa_email}"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:${var.project}.svc.id.goog[flux/flux]",
"serviceAccount:${var.project}.svc.id.goog[flux/default]",
]
}
resource "null_resource" "annotate_ksa" {
triggers = {
cluster_ep = "${google_container_cluster.gke_cluster.endpoint}" #kubernetes cluster endpoint
}
provisioner "local-exec" {
command = <<EOT
gcloud container clusters get-credentials $${K8S_CLUSTER} --zone $${K8S_ZONE} --project $${K8S_PROJECT}
kubectl annotate serviceaccount --namespace flux flux iam.gke.io/gcp-service-account=$${GCP_SA_EMAIL}
kubectl annotate serviceaccount --namespace flux default iam.gke.io/gcp-service-account=$${GCP_SA_EMAIL}
EOT
environment = {
GCP_SA_EMAIL = "${var.gke_sa_email}"
K8S_CLUSTER = "${google_container_cluster.gke_cluster.name}"
K8S_ZONE = "${var.location}"
K8S_PROJECT = "${var.project}"
}
}
depends_on = ["google_service_account_iam_binding.gsa_ksa_binding"]
}
This project is now deprecated so we aren't accepting any further changes.
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity