Skip to content

Latest commit

 

History

History
107 lines (84 loc) · 3.91 KB

workload-identity.md

File metadata and controls

107 lines (84 loc) · 3.91 KB
Raw

Workload Identity on Google Kubernetes Engine

If you use Google Kubernetes Engine (GKE), you can authenticate to Container Registry and Artifact Registry using Workload Identity.

The following steps assume that the Google service account is in the same project as the Container Registry and Artifact Registry image repositories.

  1. Enable the GKE and Artifact Registry APIs:

    gcloud services enable \
    container.googleapis.com \
    artifactregistry.googleapis.com

    Note that enabling the GKE API also enables the Container Registry API.

  2. Create a GKE cluster with Workload Identity, and assign the cloud-platform access scope to the nodes:

    PROJECT_ID=$(gcloud config get core/project)
ZONE=us-central1-f

gcloud container clusters create digester-webhook-test \
    --enable-ip-alias \
    --release-channel regular \
    --scopes cloud-platform \
    --workload-pool $PROJECT_ID.svc.id.goog \
    --zone $ZONE

  3. Create a Google service account:

    GSA_NAME=digester-webhook
GSA=$GSA_NAME@$PROJECT_ID.iam.gserviceaccount.com

gcloud iam service-accounts create $GSA_NAME \
    --display-name "Digester webhook service account"

    The digester webhook Kubernetes service account impersonates this Google service account to authenticate to Container Registry and Artifact Registry.

  4. Grant the Container Registry Service Agent role to the Google service account at the project level:

    gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member "serviceAccount:$GSA" \
    --role roles/containerregistry.ServiceAgent

  5. Grant the Artifact Registry Reader to the Google service account at the project level:

    gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member "serviceAccount:$GSA" \
    --role roles/artifactregistry.reader

  6. Grant the Workload Identity User role to the digester-admin Kubernetes service account in the digester-system namespace on the Google service account:

    gcloud iam service-accounts add-iam-policy-binding "$GSA" \
    --member "serviceAccount:$PROJECT_ID.svc.id.goog[digester-system/digester-admin]" \
    --role roles/iam.workloadIdentityUser

  7. Add the Workload Identity annotation to the digester webhook Kubernetes service account:

    kubectl annotate serviceaccount digester-admin --namespace digester-system \
    "iam.gke.io/gcp-service-account=$GSA"

    This annotation informs GKE that the Kubernetes service account digester-admin in the namespace digester-system can impersonate the Google service account $GSA.

Workload Identity works with both online and offline authentication.

If you use Workload Identity to authenticate to Container Registry or Artifact Registry, and if you do not rely on imagePullSecrets to authenticate to other container image registries, you can enable offline authentication on the digester webhook without providing a Docker config file, see authentication.md.