Skip to content

Latest commit

 

History

History
125 lines (90 loc) · 3.73 KB

authentication.md

File metadata and controls

125 lines (90 loc) · 3.73 KB

Configure access to Cloud Storage buckets using GKE Workload Identity

Configure access

See the GKE documentation: Access Cloud Storage buckets with the Cloud Storage FUSE CSI driver

Validate the service account setup (optional)

  • Make sure the Workload Identity feature is enabled on your cluster:

    gcloud container clusters describe ${CLUSTER_NAME} | grep workloadPool

    The output should be like:

    workloadPool: ${PROJECT_ID}.svc.id.goog

    If not, have Workload Identity enabled.

  • Make sure the DaemonSet gke-metadata-server is running on your node pool:

    kubectl get daemonset gke-metadata-server -n kube-system

    The output should be like:

    NAME                  DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                                                             AGE
gke-metadata-server   3         3         3       3            3           beta.kubernetes.io/os=linux,iam.gke.io/gke-metadata-server-enabled=true   17d

    If not, have GKE metadata server enabled on your node pool.

  • Check whether the GCP Service Account was created:

    gcloud iam service-accounts describe ${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com

    The output should be like:

    email: ${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com
name: projects/${GSA_PROJECT}/serviceAccounts/${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com
projectId: ${GSA_PROJECT}
...

  • Check whether the GCP Service Account has correct IAM policy bindings:

    gcloud iam service-accounts get-iam-policy ${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com

    The output should be like:

    bindings:
- members:
    - serviceAccount:${PROJECT_ID}.svc.id.goog[${NAMESPACE}/${KSA_NAME}]
    role: roles/iam.workloadIdentityUser
...

  • Check whether the Cloud Storage bucket has correct IAM policy bindings:

    gcloud storage buckets get-iam-policy gs://${BUCKET_NAME}

    The output should be like:

    bindings:
- members:
    - serviceAccount:${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com
    role: roles/storage.objectViewer

OR

bindings:
- members:
    - serviceAccount:${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com
    role: roles/storage.objectAdmin
...

  • Check whether the Kubernetes Service Account was configured correctly:

    kubectl get serviceaccount ${KSA_NAME} --namespace ${NAMESPACE} -o yaml

    The output should be like:

    apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
    iam.gke.io/gcp-service-account: ${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com
name: ${KSA_NAME}
namespace: ${NAMESPACE}