loading...

Enabling GKE Workload Identity

pradeepbhadani profile image Pradeep Bhadani Updated on ・4 min read

Originally published at pbhadani.com


In this blog, I will talk about the GKE Workload Identity feature and why to use this feature.

Alt Text

Photo by chuttersnap on Unsplash

What's the Problem?

An application running on GKE must authenticate to use Google Services such as Google Cloud Storage (GCS), Cloud SQL, BigQuery, etc.
Authentication can be done by providing a service account key JSON file to an application using Kubernetes Secret space or a different method such as Vault.
But in these approaches, service account key JSON (which has 10years of a lifetime) must be stored in plain text within the pod or base64 encoded in Kubernetes secret space.
Also, the key rotation process must be in a place that is not a fun process.

We can avoid using the service account key by attaching a service account to Kubernetes Node but then all the pods running on the Node gets the same permission which is not an ideal thing to do.

Goal?

We want to assign a service account to a Pod so we can isolate permissions for different pods.

Hurray, we have Workload Identity feature available in beta which solves this problem on GKE.

So, What is Workload Identity?

As per Google documentation, "Workload Identity is the recommended way to access Google Cloud services from within GKE due to its improved security properties and manageability."

GKE Workload identity allows us to attach the service account to the Kubernetes pod and remove the hassle to manage the service account credentials JSON file within the pod or cluster.

Let's use Workload Identity in a GKE cluster

Prerequisites

  1. If you have not setup gcloud on your workstation, then refer my previous blog to get it up and running quickly.

    Alternatively, you can use Google Cloud Shell to run the commands.

  2. Make sure you are a Project Editor or Project Owner or have enough permissions to run the below commands.

Setup a GKE Cluster

Follow the below step to create a new GKE Cluster and enable Workload Identity.

Step 1: Enable the Cloud IAM API.

Step 2: Set GCP defaults.

  • Set GCP Project
  export GCP_PROJECT_ID=<YOUR_GCP_PROJECT_ID>

  gcloud config set project $GCP_PROJECT_ID
  • Set default region and zone
  gcloud config set compute/region europe-west1

  gcloud config set compute/zone europe-west1-b

Step 3: Make sure you have kubectl command installed.

   gcloud components install kubectl

Run following to verify

   kubectl help

Step 4: Update gcloud commands.

   gcloud components update

Step 5: Create a new Google Service Account (GSA).

  gcloud iam service-accounts create workload-identity-test

Notes:
You can use the existing service account.
Permission Required: iam.serviceAccounts.create on the GCP Project.

Step 6:Add permissions to the Google Service Account required by an application. For example, roles/storage.objectViewer

  gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
  --member serviceAccount:workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/storage.objectViewer

Step 7:Setup a GKE cluster with Workload Identity enabled.

  export GKE_CLUSTER_NAME=gke-wi
  gcloud beta container clusters create $GKE_CLUSTER_NAME \
  --cluster-version=1.13 \
  --identity-namespace=$GCP_PROJECT_ID.svc.id.goog

Notes:
GKE Cluster could take 5-10mins to become fully functional.
Permission required: container.clusters.create on the GCP Project.

Step 8:Configure kubectl command on your terminal.

  gcloud container clusters get-credentials $GKE_CLUSTER_NAME

Notes:
This will populate ~/.kube/config file.
Permission Required: container.clusters.get on the GCP Project.

Step 9: (Optional) Create a Kubernetes namespace if you don't want to use default namespace.

  kubectl create namespace newspace

Step 10: Create Kubernetes Service Account (KSA).

  kubectl create serviceaccount \
 --namespace newspace \
 workload-identity-test-ksa

Step 11: Bind the Google Service Account (GSA) and Kubernetes Service Account (KSA), so that KSA can use the permissions granted to GSA.

  gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[newspace/workload-identity-test-ksa]" \
  workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Step 12: Add annotation

  kubectl annotate serviceaccount \
  --namespace newspace \
  workload-identity-test-ksa \
  iam.gke.io/gcp-service-account=workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Step 13: Create a Pod with the KSA created to verify.

  kubectl run --rm -it \
  --generator=run-pod/v1 \
  --image google/cloud-sdk:slim \
  --serviceaccount workload-identity-test-ksa \
  --namespace newspace \
  test-pod

Running above command will login to Pod and provides its bash shell.
Now run below command to see which service account this pod is configured with.

  gcloud auth list

This should print the GSA name.

                           Credentialed Accounts
    ACTIVE  ACCOUNT
    *       workload-identity-test@workshop-demo-namwcb.iam.gserviceaccount.com

Cleanup

Don't forget to cleanup the resources, once you no longer need it.

Run the following commands:

Step 1: Delete the GKE cluster.

  gcloud container clusters delete $GKE_CLUSTER_NAME

Step 2: Delete the Google Service Account (GSA).

  gcloud iam service-accounts delete workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com



Below is the terminal recording:

Hope this blog helps you get familiar with Workload Identity and securely deploy apps on GKE.

Posted on Dec 21 '19 by:

pradeepbhadani profile

Pradeep Bhadani

@pradeepbhadani

Working in Big Data, AWS, GCP, DevOps technologies.

Discussion

markdown guide