wwwil commented 5 years ago

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

tisc0 commented 4 years ago

Hi, Actually, Terraform propose already :

to switch on "workload identity" for cluster

workload_identity_config {
identity_namespace = "${var.google_project}.svc.id.goog"

to switch on "workload identity" for node pool https://www.terraform.io/docs/providers/google/r/container_cluster.html#workload_identity_config
```
workload_metadata_config {
  node_metadata = "GKE_METADATA_SERVER"
```
What's missing is bilateral binding between Kube's Service Accounts and GCP IAM Service Accounts.
```
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:[PROJECT_ID].svc.id.goog[default/default]" \
[GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
```
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

Do you think your module covers this scope ?

Thanks

ahmed1smael commented 4 years ago

is there an update here? does anybody know how to bind GSA to KSA with terraform?

nikhilbalekundargi commented 4 years ago

For binding we can use google_service_account_iam_binding resource and for annotation there is no terraform resource. I have used null resource.

Binding google service account and K8s service account

resource "google_service_account_iam_binding" "gsa_ksa_binding" {
  service_account_id = "projects/${var.project}/serviceAccounts/${var.gke_sa_email}" 
  role               = "roles/iam.workloadIdentityUser"

  members = [
    "serviceAccount:${var.project}.svc.id.goog[flux/flux]",
    "serviceAccount:${var.project}.svc.id.goog[flux/default]",
  ]
}

annotating k8s service account

resource "null_resource" "annotate_ksa" {
  triggers = {
    cluster_ep = "${google_container_cluster.gke_cluster.endpoint}"  #kubernetes cluster endpoint
  }

  provisioner "local-exec" {
    command = <<EOT
        gcloud container clusters get-credentials $${K8S_CLUSTER} --zone $${K8S_ZONE} --project $${K8S_PROJECT}
        kubectl annotate serviceaccount --namespace flux flux iam.gke.io/gcp-service-account=$${GCP_SA_EMAIL}
        kubectl annotate serviceaccount --namespace flux default iam.gke.io/gcp-service-account=$${GCP_SA_EMAIL}
    EOT

    environment = {
     GCP_SA_EMAIL    = "${var.gke_sa_email}"
     K8S_CLUSTER    = "${google_container_cluster.gke_cluster.name}"
     K8S_ZONE       = "${var.location}"
     K8S_PROJECT    = "${var.project}"
    }
  }  
  depends_on = ["google_service_account_iam_binding.gsa_ksa_binding"]
}

var.project=project id

var.gke_sa_email= Google service account email.

repo-lockdown[bot] commented 4 years ago

This project is now deprecated so we aren't accepting any further changes.

jetstack / terraform-google-gke-cluster

Enable workload identity #38

Binding google service account and K8s service account

annotating k8s service account

var.project=project id

var.gke_sa_email= Google service account email.