Posts

gke - good way to spin up a pod and test workload identity

  First create a pod under that namespace that you would like to test. Here we are using test namespace and service account sa.  apiVersion : v1 kind : Pod metadata :   name : test-pod   namespace : test spec :   serviceAccountName : sa   containers :   - name : test-pod     image : google/cloud-sdk:slim     command : [ "sleep" , "infinity" ]     resources :       requests :         cpu : 500m         memory : 512Mi         ephemeral-storage : 10Mi Next, we will  kubectl exec -it pods/test-pod --namespace = test -- /bin/bash And then run the following command curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://storage.googleapis.com/storage/v1/b/jerwotestbuckety/o"
Post a Comment
Read more

gke setting up workload identity

Image
Create your gke cluster using autopilot. It should have workload identity turned on. To determine if your cluster is enabled run the following command:  gcloud container clusters describe CLUSTER_NAME --region REGION It should output  Create the kubernetes namespace and service account  First create namespace and service account  kubectl create namespace test kubectl create serviceaccount sa  --namespace test Next, create a bucket using gcloud. gcloud storage buckets create gs:// BUCKET Then grant the  necessary permission  gcloud storage buckets add-iam-policy-binding gs:// BUCKET --role=roles/storage.objectViewer --member=principal://iam.googleapis.com/projects/ project-number /locations/global/workloadIdentityPools/ project-id .svc.id.goog/subject/ns/test/sa/sa --condition=None You can see permission being granted in your bucket Then you can proceed to create the pods that will run the workload identity  apiVersion : v1 kind : Pod metadat...
Post a Comment
Read more