Open y4h2 opened 1 year ago
terraform module terraform-google-workload-identity : Bind IAM Service Account with Kubernetes Service Account
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
To test workload identity in GKE
deploy
apiVersion: v1
kind: Pod
metadata:
name: workload-identity-test
namespace: NAMESPACE
spec:
containers:
- image: google/cloud-sdk:slim
name: workload-identity-test
command: ["sleep","infinity"]
serviceAccountName: KSA_NAME
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
create pod: kubectl apply -f wi-test.yaml
open interactive session
kubectl exec -it workload-identity-test \
--namespace NAMESPACE \
-- /bin/bash
get iam email
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email
Main use case: to access GCP services, avoid exposing service account key.
Bind IAM service account with Kubernetes service account