Enabling GKE Workload Identity
Enabling GKE Workload Identity
In this article, I discuss GKE Workload Identity feature to achieve better security
Join the DZone community and get the full member experience.Join For Free
In this blog, I will talk about the GKE Workload Identity feature and why to use this feature.
What’s the Problem?
An application running on GKE must authenticate to use Google Services such as Google Cloud Storage (GCS), Cloud SQL, BigQuery, etc. Authentication can be done by providing a service account key JSON file to an application using Kubernetes Secret space or a different method such as Vault.
But in these approaches, service account key JSON (which has 10years of a lifetime) must be stored in plain text within the pod or base64 encoded in Kubernetes secret space. Also, the key rotation process must be in a place that is not a fun process.
We can avoid using the service account key by attaching a service account to Kubernetes Node but then all the pods running on the Node gets the same permission which is not an ideal thing to do.
We want to assign a service account to a Pod so we can isolate permissions for different pods.
Hurray, we have Workload Identity feature available in beta which solves this problem on GKE.
So, What is Workload Identity?
As per Google documentation, “Workload Identity is the recommended way to access Google Cloud services from within GKE due to its improved security properties and manageability.“
GKE Workload identity allows us to attach the service account to the Kubernetes pod and remove the hassle to manage the service account credentials JSON file within the pod or cluster.
Workload Identity in a GKE Cluster
Make sure you are a Project Editor or Project Owner or have enough permissions to run the below commands.
Set Up a GKE Cluster
Follow the below step to create a new GKE Cluster and enable Workload Identity.
Enable the Cloud IAM API.
Set GCP defaults.
Set GCP ProjectShell
Set default region and zoneShell
Make sure you have
Run following to verify
gcloud components update
Create a new Google Service Account (GSA).Shell
Notes: You can use the existing service account.
iam.serviceAccounts.createon the GCP Project.
Add permissions to the Google Service Account required by an application. For example,
Setup a GKE cluster with Workload Identity enabled.Shell
Notes: GKE Cluster could take 5-10mins to become fully functional.
container.clusters.createon the GCP Project.
kubectlcommand on your terminal.Shell
Notes: This will populate
container.clusters.geton the GCP Project.
(Optional) Create a Kubernetes namespace if you dont want to use
kubectl create namespace newspace
Create Kubernetes Service Account (KSA).Shell
Bind the Google Service Account (GSA) and Kubernetes Service Account (KSA), so that KSA can use the permissions granted to GSA.Shell
Create a Pod with the KSA created to verify.Shell
Running above command will login to Pod and provides its bash shell. Now run below command to see which service account this pod is configured with.Shell
This should print the GSA name.
Credentialed Accounts ACTIVE ACCOUNT * email@example.com
Don’t forget to cleanup the resources, once you no longer need it.
Run the following commands:
Delete the GKE cluster.
gcloud container clusters delete $GKE_CLUSTER_NAME
Delete the Google Service Account (GSA).
Published at DZone with permission of Pradeep Bhadani . See the original article here.
Opinions expressed by DZone contributors are their own.