gke - how to create a federated service account for your cluster - using gke to access gcp resources

 First we need to goto service account to create a service account called gke-ai-sa by going here. In this blog, we just going to cover gke autopilot and made the assumption that you're using GKE with WIP enabled. 

Then we provide a name, lets called it gke-ai-sa.




Click "create and continThen we setup some roles 

Click "Done".

Next, we goto our cluster and create a namespace 

kubectl create namespace gke-ai-namespace

and then create a service account 

kubectl create serviceaccount gpu-k8s-sa --namespace=gke-ai-namespace

And finally the federation process

gcloud iam service-accounts add-iam-policy-binding gke-ai-sa@PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[gke-ai-namespace/gpu-k8s-sa]"

And annotate it

kubectl annotate serviceaccount gpu-k8s-sa --namespace gke-ai-namespace iam.gke.io/gcp-service-account=gke-ai-sa@PROJECT_ID.iam.gserviceaccount.com


gcloud projects add-iam-policy-binding projectId --member="serviceAccount:gke-ai-sa@project-id.iam.gserviceaccount.com" --role="roles/storage.bucketViewer"

You can find more roles: here https://cloud.google.com/storage/docs/access-control/iam-roles

We can test this out by impersonating the service account. So here we will impersonate gke-ai-sa 

gcloud iam service-accounts add-iam-policy-binding \
  projects/PROJECT_ID/serviceAccounts/gke-ai-sa@project-id.iam.gserviceaccount.com\
  --member="user:you@example.com" \
  --role="roles/iam.serviceAccountTokenCreator"

And to see if the service account can list buckets in gcloud, we can run the following commands 

gcloud storage buckets list --impersonate-service-account=gke-ai-sa@project-id.iam.gserviceaccount.com


Next, we will create a pod 


apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: NAMESPACE
spec:
  serviceAccountName: KSA_NAME
  containers:
  - name: test-pod
    image: google/cloud-sdk:slim
    command: ["sleep","infinity"]
    resources:
      requests:
        cpu: 500m
        memory: 512Mi
        ephemeral-storage: 10Mi

And once the pod is up and running, then we can 

kubectl exec -it pods/test-pod --namespace=NAMESPACE -- /bin/bash

Once the pod is running then we can use curl command to test out our pod to ensure our service account has been successfully federated.

curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \

    "https://storage.googleapis.com/storage/v1/b/BUCKET/o"


Additional references

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to




    




Comments

Post a Comment

Popular posts from this blog

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more