Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Workload Identity for provider-gcp when running on GKE #173

Closed
hasheddan opened this issue Feb 15, 2020 · 2 comments · Fixed by #414
Closed

Enable Workload Identity for provider-gcp when running on GKE #173

hasheddan opened this issue Feb 15, 2020 · 2 comments · Fixed by #414
Assignees
@hasheddan
Labels
enhancement New feature or request

Comments

@hasheddan
Copy link
Member

hasheddan commented Feb 15, 2020
edited by turkenh
Loading

What problem are you facing?

Currently, credentials for provider-gcp to authenticate to the GCP API are manually provided as a Kubernetes Secret. While this is a viable short-term solution, this post from GCP describes the shortcomings of this technique:

As an application developer, you could generate individual IAM service accounts for each application, and then download and store the keys as a Kubernetes secret that you manually rotate. Not only is this process burdensome, but service account keys only expire every 10 years (or until you manually rotate them). In the case of a breach or compromise, an unaccounted-for key could mean prolonged access for an attacker. This potential blind spot, plus the management overhead of key inventory and rotation, makes using service account keys as secrets a less than ideal method for authenticating GKE workloads.

How could Crossplane help solve your problem?

A more secure method of authentication would be through enabling Workload Identity. While this does enable some manual setup for the time-being, users who are already using the functionality can easily adopt it by annotating the the stack-gcp ServiceAccount with the appropriate Google service account tag (work is being done to make this a more streamlined process here). To enable this within stack-gcp, the Provider should be updated with a useServiceAccount field that can instruct the controllers to authenticate via credentials present in the Pod rather than looking for a Secret.

This is similar to the recent work on stack-aws: crossplane-contrib/provider-aws#126
@hasheddan hasheddan added the enhancement New feature or request label Feb 15, 2020
@hasheddan hasheddan self-assigned this Feb 15, 2020
@hasheddan
Copy link
Member Author

Related: crossplane/crossplane#1098

@lewismarshall lewismarshall mentioned this issue Mar 30, 2021
Open
@turkenh turkenh changed the title Enable Workload Identity for stack-gcp when running on GKE Enable Workload Identity for provider-gcp when running on GKE Sep 27, 2021
@nlamirault
Copy link

nlamirault commented Oct 1, 2021
edited
Loading

Any news on this feature @turkenh ? It could be nice to configure like that :

---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: crossplane-gcp
  annotations:
    iam.gke.io/gcp-service-account: crossplane@crossplane-test-gcp.iam.gserviceaccount.com
spec:
  podSecurityContext:
    fsGroup: 2000

This was referenced Nov 4, 2021
Closed
Closed
@github-actions github-actions bot mentioned this issue Dec 13, 2021
Closed
@micnncim micnncim mentioned this issue Feb 6, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hasheddan hasheddan

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support Workload Identity micnncim/provider-gcp
2 participants
@nlamirault @hasheddan